An unusually sophisticated identity phishing campaign appeared to target Google's roughly 1 billion Gmail users worldwide, seeking to gain control of their entire email histories and spread itself to all of their contacts, Google confirmed Wednesday.

The worm — which arrives in users' inboxes posing as an email from a trusted contact — asks you to check out an attached "Google Docs," or GDocs, file. Clicking on the link takes you to your real Google security profile, where you're asked to give permission for the fake app posing as GDocs to manage your email account.

To make matters worse, the worm also sends itself out to all of your contacts — Gmail or otherwise — reproducing itself hundreds of times any time a single user falls for it.

Google said in a statement late Wednesday afternoon that it had "disabled the offending accounts ... removed the fake pages [and] pushed updates through Safe Browsing."

"Our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail," it said.

We are investigating a phishing email that appears as Google Docs. We encourage you to not click through & report as phishing within Gmail. — Google Docs (@googledocs) May 3, 2017

The strategy is a common one, but the worm that was released Wednesday was causing havoc for millions of users because of its unusually sophisticated construction: Not only does the malicious link look remarkably realistic and trustworthy, but the email that delivers it also appears to come from someone you already know — and the payload manipulates Google's real login system.

It all adds up to potential calamity for unsuspecting victims: With control of your Gmail account, the scammers can harvest any personal data you've ever sent or received in an email. That can allow them to generate password-reset requests on scores of other services, potentially letting the hackers take over, for example, your Amazon, Facebook or online bank accounts.

Employees and others connected to large companies, especially educational institutions and journalism organizations, began flooding social media about 2:30 p.m. ET reporting that they'd received the malicious email.

This gmail/docs hack is clever. It's abusing oauth to gain access to accounts. — Randall Smith (@PerlStalker) May 3, 2017

Do you Goole? Or use GMAIL? Watch out for this scam & spread the word (not the virus!) https://t.co/gpay6CjFeT — St George Police (@sgcitypubsafety) May 3, 2017

Westchester School Officials Warn Of Gmail Email 'Situation' https://t.co/gIWtEL1piH pic.twitter.com/X8mBt0noVl — CortlandtDailyVoice (@CortlandtDV) May 3, 2017

SCAM ALERT: Gmail accounts across the country have been hacked, several agencies are asking you to be aware. https://t.co/SNCeKjPhWp — Shane Gustafson (@Shane_WMBD) May 3, 2017

Man, gmail's getting hammered today with spam and phishing attacks. — Lance (@lancewmccarthy) May 3, 2017

Within about an hour, the malicious email began appearing with a red warning that it could be a phishing attack.

Be careful, Twitter people with Gmail accounts! Do not click on the "doc share" box. It's a solid attempt at phishing. pic.twitter.com/OIGFIgZurV — Jen Lee Reeves (@jenleereeves) May 3, 2017

What you can do

While the malicious email is a dead ringer for a real message from a trusted friend, there is one key giveaway: The mail is sent to a fake email address in the main recipient field — hhhhhhhhhhhhhhhh@mailinator.com. Your address is included in the BCC field.

If you receive a Gmail message with the mailinator.com address as the main recipient, immediately report it as phishing by clicking the down arrow beside the reply button and selecting "Report phishing." Then delete it.

If you do click on the malicious link, don't grant permission when the fake GDocs app asks for it.

If, unfortunately, you've already fallen for the scam and granted permission to the hackers, go to your Google connected sites console and immediately revoke access to "Google Docs." (If you don't trust the embedded link here — which is generally a good thing — you can manually type the address into your browser: https://myaccount.google.com/security?pli=1#connectedapps)

While you're at it, it's a good idea to revoke permission for any app listed there that you don't recognize.

Finally, change your Google password.