Phishing Campaign Uses Google Drive to Bypass Email Gateways
A highly targeted phishing campaign was recently observed while bypassing a Microsoft email gateway using documents shared via the Google Drive service to target the staff of a company from the energy industry.
Google Drive is a file storage and synchronization service created by Google that enables its users to store files in the cloud and effortlessly synchronize them between devices and platforms. The documents used to link to the phishing landing page were delivered using Google Docs, Google's online word processor.
The phishing messages spotted by Cofense security researchers impersonated the CEO of the company and tried tricking the employees to open an "important message" shared via Google Docs, Google's online word processor.
"The email is legitimately sent by Google Drive to employees and appears to be shared on behalf of the CEO by an email address that does not fit the email naming convention of the targeted company," found Cofense.
This made it possible for the attackers to take advantage of Google's legitimate service to circumvent the phishing detection protection provided to the company by the Microsoft Exchange Online Protection cloud-based email filtering service.
In reality, the document linked to a Google Docs document which, in turn, redirected the potential victims to the attackers' phishing landing pages that would request them to enter their credentials to access the CEO's urgent message.
"The link within the email body is also hard to defend against because it links to an actual Google Drive share," also found the Cofense researchers.
(Score: 3, Insightful) by jmichaelhudsondotnet on Saturday August 17, @01:24PM
So, using two software suites operated essentially by a bunch of TLA's holding hands, a vulnerability was discovered?
You don't say.
The question here is not what or who is secure, but which bad actors will get your data and how they will use it to abuse you. They might have an interesting argument over which one will get to abuse you first.
Is there a way to filter out of my brain all 'security update' information regarding platforms I have already for years known to be absolutely untrustworthy?
The guy trying to build a perfectly level object atop the leaning tower of pisa also having a lot of trouble I hear, but I don't have any extra time to worry about people trying to do futile things.
(Score: 2, Interesting) by Anonymous Coward on Saturday August 17, @01:38PM
We've been seeing attacks with the payload hosted on Gooogle Drive (and pretty much everything else) for years; the last campaign I investigated used OneDrive.
(Score: 2) by RamiK on Saturday August 17, @06:37PM
Most companies serving remote RDP terminals end up approving gmail for downloading attachments since their users can't work without it. This, while also allowing users to install peripheral drivers for printers and such if they're already signed and available on the server since when the session resets the USB peripherals are reinstalled from the driver cache which windows sets as the same policy* as reinstalling from signed MSIs and INFs... Put two and two together and you'll never have to wait for the phone support representative to tell you it will take a few days for the driver to get approved ever again.
*At least that's what it's been like on the boxes I've handled. Haven't opened group policy editor in years but I'm sure there's a way around it...
compiling...
(Score: 0) by Anonymous Coward on Sunday August 18, @05:15AM
My work went with o365 for staff and faculty and Google Apps for students. MS has the worst spam scanning of anybody. My uncaught spam messages went from* almost non-existent with near zero misclassified ham to 10 uncaught spams per day in my inbox (a good portion of these are phishing emails), and tons of ham misclassified as spam. Fucking worthless shit. We also have been getting repeatedly hit with successful phishing campaigns since switching, since MS doesn't even catch phishing emails claiming to be from MS?!!! I also have a Google student account, and it has never had a phishing email make it to its inbox.
This google drive vector might be a problem for folks using a mail filtering system created and operated by a competent organization. But, for MS o365 (used as the example in TFA), this vector is irrelevant.
We used to use a postfix + postscreen + amavis + spamassassin etc. setup that was very effective.