This attack report covers a phishing attack against Gmail and Google Drive customers that leverages both services and exploits a blind spot in the G Suite service.
This one starts with an email from the "US Bankruptcy Court" to the company's CEO, inviting her to a hearing in a few days and has a link titled "Get Notification". The email's subject & structure look convincing enough to not arise suspicion from a CEO. Upon clicking the link, a Google Drive file automatically starts to download. Before we explain the security gap, here's one example:
Where is the blind spot and how is it being exploited?
First, here's the link to Google-Drive (We masked parts to prevent accidental clicks):
https://docs.google.com/uc?authuser=0&id=xxxxxxxxxxx_xxxxxxxxxxxxxx00&export=download
Notice the "export=download"? This is what triggers an immediate download of the file to the end-user's PC. Depending on the browser and the configuration, the file may either automatically open or save. Either way, the malware made it to the endpoint and presumably the CEO that clicked the link is likely to open it.
But the core issue is this - why didn't the sender just attach the file to the email? Very likely because the security Google has for Gmail is not the same as the security they have in place for Google Drive. At Avanan, we receive between 200-500 pieces of true unknown malware every day from our security partners and test those malicious files against the default security of different SaaS services. Over months of testing, we consistently see that while Gmail misses and lets through 5%-10% of malicious files on average, Google Drive consistently misses close to 20%, sometimes missing as many as 40% of malicious files. Google's strategy to invest more in Gmail's security makes sense with email being the most common attack vector, but it creates a blind-spot as can be seen in this instance. The hackers are using the reduced security of Google's file sharing platform to get around Gmail's stricter security measures.
Another reason this was not caught is due to its URL. Google scans emails for known malicious and suspicious links. Naturally with Google Drive links, their own service is not categorized as suspicious. And even if the specific URL within Google Drive is to be flagged, the attackers see they got blocked in real-time and can upload the malware as another file, getting a new Google Drive URL that Gmail, once again, doesn’t know to block.
Finally, Google is running a statistical analysis algorithm to help block spam. This works well with the massive spammers that send millions of emails in a short period of time. However, this attack is extremely targetted and goes only after the CEO of the company, the natural audience for such an email, making it more likely to stay under the radar of this detection layer.
What can you do?
The Avanan Gmail security module detected this attack in the cloud before the user received the email. The technical details of how we were able to catch it are that the Avanan Cloud Security Platform followed the link, downloaded the file to a sandbox environment and scanned it for zero-day malware with the best-of-breed security tools on the platform. In this case, credit goes to Check Point Sandblast that detected this file as malware.
Avanan is API-based, so to install you just approve our app in the Google app store, and then all emails and files get scanned by any security tool before the end-user ever receives them in their inbox.
If phishing and malware are a concern for your organization, you can start a free trial of Avanan, it takes 5-10 minutes and in up to 3 days (depending on your size) we'll give you a report with all the phishing and malware attacks that currently exist on your Gmail and Google Drive.
Check your Gmail and Google Drive
