Google Docs Phishing: How Businesses Can Quarantine And Recover

Problem:

On 5/3/2017 a sophisticated widespread, self propagating attack was targeted at Gmail & G Suite users. This attack encourages users to click on a “Open In Docs” button which then uses your existing login session to authenticate the attacker (without requiring the user to enter their credentials).  By clicking the Open in Docs button the user is allowing a script to connect to that user’s mailbox.  

Example of malicious message:

This is what the whole attack looks like (courtesy of @zachlatta)

Solution/Workaround:

The below workaround is intended as a temporary solution and does not guarantee that future attacks will be prevented.  Please follow ALL of the steps below.  These steps are provided by Agosto on an experimental basis.  Agosto assumes no responsibility for any actions performed on your G Suite account.

Prevent Messages from Entering Domain

  1. Login to admin.google.com and create an Admin Quarantine following these steps

  2. Navigate to the Advanced Gmail Settings

  3. Scroll down to Content Compliance and create a new rule matching the screenshot shown in the appendix of this document

    1. Match Type (if any match)

      1. The body contains text https://accounts.google.com/o/oauth2/auth?client_id=

      2. Any envelope recipient is hhhhhhhhhhhhhhhh@mailinator.com

    2. Action

      1. Quarantine - Using the Admin Quarantine created in step 1
         

Revoke Access for anyone who has already authorized this token

  1. Download and Install Google Apps Manager (GAM)

  2. Issue the following command to revoke all existing authorizations

    1. gam all users delete token clientid 366668462857-3qkidqn8oseh9v3fhm3085kpb747bgm7.apps.googleusercontent.com

    2. Optionally append the command with >> log.txt to keep a record of all affected users

  3. Information on this command is found here

 

Recall any trace of the infected message from all users accounts

  1. Download and Install Google Apps Manager (GAM)

  2. Issue the following command to purge all copies of the message

    1. gam all users delete messages query "to:hhhhhhhhhhhhhhhh@mailinator.com" maxtomodify 100 doit

    2. Optionally append the command with >> log.txt to keep a record of all affected users

  3. Information on this command is found here