Skip to content
Threat Feed
medium advisory

GSuite Suspicious File Share with Phishing Filenames

This analytic detects suspicious file sharing activity in Google Workspace where files are shared with names commonly associated with phishing campaigns, such as 'invoice,' 'shipment,' or 'delivery', potentially leading to credential theft or malware infection.

This brief focuses on detecting spear phishing attempts within Google Workspace environments through the identification of suspicious filenames associated with shared files. The detection leverages GSuite Drive logs to identify documents with titles that include keywords such as "dhl," "ups," "invoice," and "shipment". These filenames are commonly used in phishing campaigns to trick users into opening malicious documents or clicking harmful links. The successful exploitation of this technique can lead to unauthorized access to sensitive information, data theft, or further compromise of the user's system. This analytic helps defenders identify and respond to potential phishing attacks targeting their organization via Google Drive.

Attack Chain

  1. Attacker crafts a document with a malicious payload or link and names it with a phishing-related term (e.g., "invoice," "shipment").
  2. The attacker shares the malicious file via Google Drive with a target user within the organization. The file is intentionally named to entice the recipient.
  3. The target user receives a notification or email about the shared file in Google Drive.
  4. The user, believing the file is legitimate, opens the shared document in Google Drive.
  5. If the document contains a malicious link, the user clicks on it, redirecting them to a phishing website.
  6. The phishing website prompts the user to enter their credentials, which are then captured by the attacker.
  7. Alternatively, if the document contains a malicious script, it executes upon opening, potentially installing malware on the user's system.
  8. The attacker gains unauthorized access to the user's account or system, enabling data theft, lateral movement, or further malicious activities.

Impact

A successful phishing attack via Google Drive can compromise user accounts, leading to unauthorized access to sensitive data and potential data breaches. The impact can range from individual account compromise to widespread organizational damage, including financial losses, reputational damage, and legal liabilities. Organizations can experience a significant disruption of services, especially if critical accounts are compromised. The number of potential victims depends on the scale of the phishing campaign and the attacker's targets within the organization.

Recommendation

  • Deploy the GSuite Suspicious Shared File Name Sigma rule to your SIEM to identify potentially malicious file sharing activity in Google Drive (rules).
  • Configure your GSuite environment to log Drive events, specifically file sharing activities, to enable the Sigma rule to function correctly (data_source).
  • Educate users about the risks of opening shared files with suspicious filenames and clicking on links from unknown sources (references).
  • Review and customize the keyword list in the Sigma rule to align with your organization's specific threat landscape and common phishing themes (search).
  • Investigate any alerts generated by the Sigma rule, prioritizing those involving sensitive data or high-value targets (summary).
  • Implement multi-factor authentication (MFA) to mitigate the impact of compromised credentials obtained through phishing attacks (summary).

Detection coverage 2

GSuite Suspicious Shared File Name

medium

Detects shared files in Google Drive with suspicious filenames commonly used in spear phishing campaigns.

sigma tactics: initial_access techniques: T1566.001 sources: webserver, linux

GSuite Suspicious File Share - Internal Domain Filter

medium

Detects shared files in Google Drive with suspicious filenames, filtering out internal test domains to reduce false positives.

sigma tactics: initial_access techniques: T1566.001 sources: webserver, linux

Detection queries are available on the platform. Get full rules →