Messaging from Google Enterprise Support
Affected Products: G Suite
Description: Users report receiving many spam/phishing messages that are not being detected. The message claims to be a Google Docs sharing notification. Once clicking the link, the user would be prompted to grant application permissions to both Gmail ("Read, send, delete, and manage your email") and Contacts ("Manage your contacts") scopes. The application sent the same phishing message to the user's contacts, but this effect has been mitigated.
We have taken action to protect our customers by:
* Disabling the offending Google accounts that generated the phishing link.
* Removing the fake Google login page that the link routes you to.
* Working to ensure that an incident like this doesn’t occur again in the future.
Steps to Reproduce: You've received a message that claims to be a Google Docs sharing notification, with a subject of the format "<person> has shared a document on Google Docs with you". Once clicking the "Open in Docs" link, you are prompted to grant an application called "Google Docs" permissions to both Gmail ("Read, send, delete, and manage your email") and Contacts ("Manage your contacts") scopes.
Workaround: We advise users to be careful when clicking links in email and granting access to applications unexpectedly. We encourage you to report phishing emails in Gmail (https://support.google.com/mail/answer/8253?hl=en).
More information is available here:
Dito's Recommendations for Google Admins
- Perform this task https://support.google.com/a/answer/2984349?hl=en for any affected account that granted the Oauth client token to make sure the affected accounts are fully secure while Google's engineering teams continue their internal investigation
- Check your Google account’s app permissions at https://myaccount.google.com/security. There should not be an app called “Google Docs” there — actual Google Docs has access to your account by default. If you see it listed there, remove it by tapping the label and hitting “Remove”
- Reset passwords
- Enable 2SV
- Check Token Log in Reports section of Admin Console. This will show who authorized access to apps. This particular app appears to get access to a users' Gmail and Contacts. Revoke Access using the instructions in the next bullet point.
- To revoke access to Authenticated Applications (Do this for all affected accounts): follow here: https://support.google.com/a/answer/2537800?hl=en
- Create Content compliance rule shown in steps below for mailinator.com, and then review the quarantine to discover who has been affected and clicked through the phishing email
- 1. Email messages to affect: Check all boxes
- 2. Add expressions:
- Location: Full headers
- Matches regex: mailinator.com
- 3. If expressions match: Quarantine message
- Remove malicious emails from accounts:
- Vault - Search message ID and create a custom retention rule with retention to one day. In one day, the message is remove from user's mailbox: https://support.google.com/vault/answer/2535539?hl=en&ref_topic=3209998
- Gmail API or IMAP - Create a script that signs in to affected accounts and deletes the targeted message