Close to .1% of Gmail users have been estimated to have been hit by the Google Docs phishing attack that spread across the globe this Wednesday –even though Google managed to shut down the vulnerability in less than an hour once it became aware of the scam.
Anatomy of the attack
The attack can be classified as a traditional phishing spam. Here is the anatomy of a typically attack that happened –
Step 1: Target would see an email from a familiar user with subject line like ““Russell has shared a document on Google Docs with you.”
Step 2: User clicks on the open is docs button. This button points to google oauth url. There is nothing suspicious in that url. Here is an example url –
Step 3: Install the malicious application - If the user provides the credentials, then the malicious application is installed.
The important thing to notice here is that all the steps above are exactly the steps you would do install a legitimate app with google oauth. This is what makes spam or phishing hard. If the entire process of oauth and installation of application is close to a real application, then the only way malicious applications can be blocked is by detecting name etc.
What was the impact?
Within an hour on Wednesday morning, more than a million users were affected by the spam. This talks about how fast the attack spread and caused problems across the entire Gmail user base. An active discussion on the largest incident response community on Wednesday morning was around how to block the attack for the enterprise and different URLs and hosts were identified.
This attack method of gaining user trust to spread the attack is not new in anyway. It was a simple and mundane phishing attack with just a slight twist that there has been no use of any malicious file for infecting, propagating, or data exfiltration. It is an example of use of pure cloud technologies to create a new vector of starting the phishing attack in the ever-changing threat landscape. These are the typical vectors phishing attacks come in from and in this case, they were not at all used.
- Two-Factor Authentication – This attack didn’t steal a password.
- Endpoint Security– There is no malware binary involved to detect or block using anti-virus or other endpoint security techniques.
- Email Authentication– The phishing email came from an authentic email account. It wasn’t spoofing and therefore wouldn’t fail email authentication.
Speed of Response and Automation
One of the biggest challenge in any incident is how quickly an organization would have identified the attack was in progress and respond. Also, the accuracy of response is essential.
Bottom-line – the fastest way to identify the attack was in progress was to see the related trend on the inbound emails based on similar subjects or mails containing address firstname.lastname@example.org.
Demisto’s automation engine can parse through 1000s of suspicious emails in a matter of minutes and bubble up related incidents based on its Machine Intelligence Engine. The Machine Intelligence can find related incidents based on Email Data (Headers, Body, Embedded artifacts, Attachments) to detect emerging threat patterns across the products being used in the enterprise.
Once a pattern has been identified and analyst team has been alerted, Analysts can investigate and validate if an attack is indeed in progress, alert their stakeholder and enterprise users to take the right actions.
Next steps would be to take actions once the malicious hosts, email addresses have been identified.
In this case, the malicious email address could have been blocked on email gateways and all such emails in the enterprises could have been deleted from the mailboxes. Creating such rules is a manual procedure and poses challenges and takes time.
With an automation platform, automatic block and clean rules can be pushed quickly. One of Demisto’s customer, identified this attack in its nascent stage with Demisto Platform by processing the forwarded malicious emails through an automated phishing playbook and cleaned the emails as soon as they confirmed this was a phishing campaign in real time. This resulted in containing the incident fast.