<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Gsuite - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/gsuite/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 15:22:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/gsuite/feed.xml" rel="self" type="application/rss+xml"/><item><title>Gsuite Email with Suspicious Subject and Attachments</title><link>https://feed.craftedsignal.io/briefs/2024-01-gsuite-phishing-attachments/</link><pubDate>Wed, 03 Jan 2024 15:22:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-gsuite-phishing-attachments/</guid><description>Detection of Gsuite emails with suspicious subjects and attachments (e.g., DHL, UPS, invoice, DOC, ZIP) indicative of spear phishing, excluding internal test domains, which could lead to initial compromise and further malicious activity.</description><content:encoded><![CDATA[<p>This brief addresses the risk of spear phishing attacks delivered via Gsuite email. The detection focuses on emails with subject lines containing keywords commonly associated with phishing lures, such as shipping companies (DHL, UPS, FedEx, USPS), delivery notifications, invoices, and orders. It also analyzes email attachments for file types frequently used to deliver malware or malicious content (e.g., DOC, XLS, PDF, ZIP, HTML). Communications originating from or destined for the 'internal_test_email.com' domain are excluded. This detection logic aims to identify potentially malicious emails that bypass basic spam filters and target users with tailored lures, which began in 2026. Successful attacks of this type can lead to credential theft, malware infection, and data breaches.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker crafts a spear phishing email with a subject line containing keywords related to shipping, delivery, or invoices to entice the recipient.</li>
<li>The email includes a malicious attachment, such as a Microsoft Word document (.doc or .docx), an Excel spreadsheet (.xls or .xlsx), a PDF file (.pdf), or a compressed archive (.zip or .rar).</li>
<li>The recipient opens the email and, prompted by the subject line, opens the attachment.</li>
<li>If the attachment is a document or spreadsheet, it may contain malicious macros or embedded code that executes upon opening.</li>
<li>If the attachment is an archive, it may contain an executable file or a malicious script that the user is tricked into running.</li>
<li>Upon execution, the malicious code may install malware, establish a connection to a command-and-control (C2) server, or steal sensitive information.</li>
<li>The malware may then spread laterally within the organization's network, compromise additional systems, and exfiltrate sensitive data.</li>
<li>The attacker achieves their final objective, such as data exfiltration, ransomware deployment, or long-term access to the compromised environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful spear phishing attacks can result in significant damage to an organization. This includes the compromise of user accounts, the loss of sensitive data, the disruption of business operations, and financial losses due to incident response, recovery efforts, and potential regulatory fines. Spear phishing is a common vector for ransomware deployment, which can cripple an organization's infrastructure and lead to significant financial losses and reputational damage. The number of potential victims is limited to the number of employees or users who have access to Gsuite email.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the &quot;Gsuite Email Suspicious Subject With Attachment&quot; analytic as a starting point for detection, and tune the keyword list and attachment file type list for your specific environment.</li>
<li>Enable and review Gsuite Gmail logs, ensuring that attachment metadata (file type, extension, SHA256 hash) is being ingested (as described in &quot;how_to_implement&quot;) to ensure the detection rule functions correctly.</li>
<li>Block the domain <code>internal_test_email.com</code> at your email gateway to prevent any potential abuse of this testing domain, as referenced in the IOC section.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>spear-phishing</category><category>initial-access</category><category>gsuite</category></item><item><title>GSuite Suspicious File Share with Phishing Filenames</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-gsuite-suspicious-file-share/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-gsuite-suspicious-file-share/</guid><description>This analytic detects suspicious file sharing activity in Google Workspace where files are shared with names commonly associated with phishing campaigns, such as 'invoice,' 'shipment,' or 'delivery', potentially leading to credential theft or malware infection.</description><content:encoded><![CDATA[<p>This brief focuses on detecting spear phishing attempts within Google Workspace environments through the identification of suspicious filenames associated with shared files. The detection leverages GSuite Drive logs to identify documents with titles that include keywords such as &quot;dhl,&quot; &quot;ups,&quot; &quot;invoice,&quot; and &quot;shipment&quot;. These filenames are commonly used in phishing campaigns to trick users into opening malicious documents or clicking harmful links. The successful exploitation of this technique can lead to unauthorized access to sensitive information, data theft, or further compromise of the user's system. This analytic helps defenders identify and respond to potential phishing attacks targeting their organization via Google Drive.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker crafts a document with a malicious payload or link and names it with a phishing-related term (e.g., &quot;invoice,&quot; &quot;shipment&quot;).</li>
<li>The attacker shares the malicious file via Google Drive with a target user within the organization. The file is intentionally named to entice the recipient.</li>
<li>The target user receives a notification or email about the shared file in Google Drive.</li>
<li>The user, believing the file is legitimate, opens the shared document in Google Drive.</li>
<li>If the document contains a malicious link, the user clicks on it, redirecting them to a phishing website.</li>
<li>The phishing website prompts the user to enter their credentials, which are then captured by the attacker.</li>
<li>Alternatively, if the document contains a malicious script, it executes upon opening, potentially installing malware on the user's system.</li>
<li>The attacker gains unauthorized access to the user's account or system, enabling data theft, lateral movement, or further malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful phishing attack via Google Drive can compromise user accounts, leading to unauthorized access to sensitive data and potential data breaches. The impact can range from individual account compromise to widespread organizational damage, including financial losses, reputational damage, and legal liabilities. Organizations can experience a significant disruption of services, especially if critical accounts are compromised. The number of potential victims depends on the scale of the phishing campaign and the attacker's targets within the organization.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the <code>GSuite Suspicious Shared File Name</code> Sigma rule to your SIEM to identify potentially malicious file sharing activity in Google Drive (rules).</li>
<li>Configure your GSuite environment to log Drive events, specifically file sharing activities, to enable the Sigma rule to function correctly (data_source).</li>
<li>Educate users about the risks of opening shared files with suspicious filenames and clicking on links from unknown sources (references).</li>
<li>Review and customize the keyword list in the Sigma rule to align with your organization's specific threat landscape and common phishing themes (search).</li>
<li>Investigate any alerts generated by the Sigma rule, prioritizing those involving sensitive data or high-value targets (summary).</li>
<li>Implement multi-factor authentication (MFA) to mitigate the impact of compromised credentials obtained through phishing attacks (summary).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>phishing</category><category>gsuite</category><category>google_workspace</category></item><item><title>GSuite Email with Suspicious Attachment</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-gsuite-suspicious-attachment/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-gsuite-suspicious-attachment/</guid><description>This analytic detects GSuite emails with suspicious file attachments (e.g., .exe, .bat, .js) which may indicate a spear-phishing attack leading to malware deployment and potential system compromise.</description><content:encoded><![CDATA[<p>This analytic focuses on detecting potential spear-phishing attacks targeting GSuite users by identifying emails containing suspicious attachments. The detection leverages GSuite Gmail logs to identify emails with attachments having file extensions commonly associated with malware, such as .exe, .bat, .js, .vbs, .ps1 and others. The goal is to identify potentially malicious emails that bypass traditional security measures, such as spam filters. Successfully delivered malicious attachments can lead to unauthorized code execution, data breaches, or further network infiltration. This activity is significant as these file types are often used to deliver malicious payloads, posing a risk of compromising targeted machines. The alert is designed to detect anomalies that may indicate a sophisticated spear-phishing attempt.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a spear-phishing email targeting a GSuite user.</li>
<li>The email contains an attachment with a suspicious file extension (e.g., .exe, .bat, .js, .vbs, .ps1).</li>
<li>The target user receives the email in their GSuite Gmail inbox.</li>
<li>The user opens the email and downloads the suspicious attachment.</li>
<li>The user executes the downloaded attachment, initiating the malicious payload.</li>
<li>The malicious payload executes, potentially compromising the user's machine.</li>
<li>The compromised machine establishes a connection to a command-and-control (C2) server.</li>
<li>The attacker gains remote access to the compromised machine, potentially leading to data exfiltration or further lateral movement within the network.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful spear-phishing attack through GSuite can result in the compromise of individual user accounts and machines. This can lead to unauthorized access to sensitive data stored in GSuite, such as emails, documents, and contacts. It can also facilitate the deployment of malware on the compromised machine, potentially leading to data breaches, financial loss, and reputational damage. The impact is further amplified if the compromised user has privileged access to critical systems or data.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>GSuite Email with Suspicious Attachment</code> to your SIEM and tune for your environment based on the known_false_positives.</li>
<li>Enable alerting on the Sigma rule and prioritize investigation based on the <code>severity</code> field.</li>
<li>Implement user awareness training to educate employees about the risks of opening suspicious attachments and to recognize spear-phishing attempts.</li>
<li>Review and strengthen your organization's email security policies and procedures, focusing on attachment handling and malware prevention.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>gsuite</category><category>spear-phishing</category><category>malicious-attachment</category></item><item><title>GSuite Email with Known Abuse Web Service Links</title><link>https://feed.craftedsignal.io/briefs/2024-01-gsuite-abuse-links/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-gsuite-abuse-links/</guid><description>This analytic detects emails in Gsuite containing links to known abuse web services such as Pastebin, Telegram, and Discord, commonly used by attackers to deliver malicious payloads leading to malware, phishing, or other harmful activities.</description><content:encoded><![CDATA[<p>This threat brief focuses on the detection of malicious emails within the GSuite environment that contain links to web services known for abuse, such as Pastebin, Telegram, and Discord. These platforms are often leveraged by threat actors to host and distribute malicious payloads, phishing links, and command-and-control instructions. The detection specifically targets GSuite Gmail logs to identify emails with links containing domains associated with these services. This activity is significant because successful exploitation can lead to malware infections, credential theft, and further compromise of internal systems. The detection logic is based on identifying specific domains within email links and is designed to identify potential threats before they can be successfully executed.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker sends a phishing email to a target within the organization, using a GSuite account.</li>
<li><strong>Delivery:</strong> The email contains a link to a malicious payload hosted on Pastebin.</li>
<li><strong>Redirection:</strong> The user clicks on the link, redirecting them to the attacker-controlled Pastebin page.</li>
<li><strong>Payload Delivery:</strong> The Pastebin page contains obfuscated code, such as a PowerShell script, designed to download and execute a malicious payload.</li>
<li><strong>Execution:</strong> The PowerShell script executes on the victim's machine, downloading a malware stager from a Telegram channel.</li>
<li><strong>Persistence:</strong> The malware stager establishes persistence on the system.</li>
<li><strong>Command and Control:</strong> The malware establishes a command and control (C2) connection with the attacker's server, potentially using Discord as a communication channel.</li>
<li><strong>Impact:</strong> The attacker gains remote access to the compromised system, enabling data exfiltration or deployment of ransomware.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to the compromise of sensitive information, system downtime, and financial losses. Organizations using GSuite are at risk. The impact could range from a single compromised user account to a widespread ransomware infection affecting critical business operations. Public reporting suggests similar attacks have resulted in data breaches impacting thousands of users and costing victim organizations millions of dollars in recovery efforts.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>GSuite Email with Known Abuse Web Service Links</code> to your SIEM to detect emails containing links to known abuse web services (Pastebin, Discord, Telegram, t.me) within GSuite Gmail logs.</li>
<li>Block the known malicious domains (pastebin.com, discord.com, telegram.org, t.me) at your organization's DNS resolver to prevent access to potentially malicious content as per the IOC table.</li>
<li>Enable GSuite Gmail logs to ensure visibility into email traffic and enable the successful operation of the detection rule detailed in this brief.</li>
<li>Implement user awareness training to educate employees about the risks associated with clicking links in emails from unknown senders, especially links to file-sharing or messaging platforms.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>gsuite</category><category>phishing</category><category>malware</category><category>pastebin</category><category>telegram</category><category>discord</category></item></channel></rss>