There was a very large, sophisticated phishing attack on May 3 using a malicious application called Google Docs. This attack and others like it can be identified, tracked and remediated in CloudSOC.
How users experienced the attack
Users received a phishing email with an invitation to view a Google document from one of their contacts. Users who clicked on it were redirected to install a malicious third party app called Google Docs. During this installation the user is asked to select a Google account asked to grant permissions to “read, send, delete, manage email” and “manage your contacts” by the malicious app. Once the user clicked to authorize these permissions, the app could access the data on mail.google.com and googleapis.com/auth/contacts. Then the user is redirected to a fake landing page that can be used for additional phishing messages.
CloudSOC identifies the attack and revokes access
Organizations using CloudSOC will see this malicious application in their Google Securlet dashboard along with details on the users who authorized the app to access their accounts and a button to automatically revoke the authorization to that malicious app for all users.
CloudSOC Securlet dashboard identifies fake Google Docs app
CloudSOC identifies users who have authorized access to fake Google Docs app and offers to revoke this access
Oauth attacks not new but growing more common
In today’s world of cloud apps, it is a convenience for users to grant permissions to third party apps to access accounts (such as email, social media, file sharing, etc.) using OAuth rather than requiring a password. Google has mitigated this attack but others like this are growing in popularity. Bad actors are taking advantage of how common it has become for users to grant access to third party apps, so common that many users don’t worry about granting these permissions if the request looks normal. In this case, the app was named Google Docs and looked legitimate to many users. These types of attacks don’t use malware but CloudSOC will provide visibility and controls to remediate this type of attack.