Our customer support team is always busy helping customers audit and improve their Google Workspace & Microsoft 365 security settings. Recently, we’ve noticed a significant increase in Google Docs phishing scams.
In one example, a school district that was doing a free security audit with us uncovered a file containing phishing links being shared into their domain from seven other school districts! This means that each of these seven school districts had at least one compromised Google account. (Don’t worry, we notified these districts directly and discreetly).
What is a Google Docs Phishing Scam and How Does It Work?
There are a few Google phishing scam variations that criminals will use. The one that our Cloud Monitor platform is currently detecting involves hackers sharing Google Docs that contain a phishing link in the document.
It all starts with a compromised account. A user’s Google Workspace account can be hacked by a phishing email, password cracking, stolen credentials, using insecure Wi-Fi, using a malicious or insecure 3rd party app with relevant permissions, and others.
Once one or more accounts are compromised, the criminal will use it to create a Google Doc that contains a phishing link it it. Then, they will share the document with other users, contacts, etc. usually using the “anyone with the link” share permission and view-only access, which keeps the document from being edited but still allows the link to be clicked.
Much like a phishing email, they will try to make the document look legitimate in order to get people to click on the link. The documents are titled something that makes it look like it is district-related, retirement benefits information is a common example. The documents are shared with victims’ accounts, which automatically adds it to their “shared with me folder”. Unsuspecting users can then click on these links and end up getting phished.
The biggest benefit to this tactic for hackers is that phishing filters won’t flag it as spam or suspicious because it’s being sent using the sharing notification and/or a Google Docs link (vs. a phishing link in the body of the email), which is always going to be trusted. Another benefit is that the document will also be available in the “Shared With Me” folder in Google Drive, and there is currently no way to remove shared files from an admin level. Though, Google has recently released a way for individual users to remove “Shared With Me” documents from their own accounts by following these steps.
How Can Cloud Monitor Help?
There a a few ways that ManagedMethods’ Cloud Monitor platform can help with this kind of issue. First, it can detect suspicious login activity hitting your accounts. For example, it can detect when someone is trying to log in to an account from outside of the country, such as Russia, China, etc. It will also flag logins that indicate impossible travel, for example if a user logs in from Colorado and then an hour later logs in from China. This kind of activity can be a strong indication that an account has been compromised, or that attempts are being made on your domain.
Cloud Monitor can also identify files that are being shared into your domain from outside the organization, so admins can easily identify strange or suspicious files and alert their users.
What Should I Do Next?
It’s typically super difficult to know if you have compromised accounts in your district’s Google Workspace and/or Microsoft 365 domain without the proper tools in place to detect this kind of abnormal behavior and alert you to it. Whether or not you’re a current ManagedMethods customer, we’d love to help you through the process of auditing your accounts. Simply fill out a form to request a free Google/Microsoft security audit and a member of our team will reach out to get the process going.
