Hey Joe,

juselding · ‎05-03-2017

We are getting a large amount of Google Docs Phishing e-mails hitting our ESA. The messages say they are from random users stating something similar to the following.

"Trevor Vogel has invited you to view the following document:"

With a link back to google docs, however I am sure this is not legitimate in any way. Has anyone found a way to block this while letting legit requests directly from google through?

Joe

Libin Varghese · ‎05-03-2017

Hi Joe,

I would think you would need to submit some of these phishing email samples to Cisco in order to update the anti-spam, URL, graymail rules that may have missed these.

Unfortunately phishing campaigns often mutate very quickly in order to avoid our evolving rule updates, so if you do see new phishing emails slipping through, please submit them as soon as possible so we can further refine our rules.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117822-qanda-esa-00.html

Adding below link which shows this was a global outbreak today and as per the article should be fixed now.

https://www.reddit.com/r/google/comments/692cr4/new_google_docs_phishing_scam_almost_undetectable/

The only other way would be to maintain a list of trusted senders and allow google doc invites based on subject only from those senders, which would be more difficult from a management point of view.

Thank You!

Libin Varghese

juselding · ‎05-03-2017

Libin,

The items were already submitted, however it looks like this is pretty wide spread across the internet.

http://bgr.com/2017/05/03/google-docs-phishing-hack-attack-how-to-delete/

Joe

Libin Varghese · ‎05-03-2017

Hey Joe,

Yes I see Google removed the problem causing application and the URL should no longer ask for login information. I updated my initial post once I saw that information online and a few TAC cases as well come through.

- Libin V