Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Google Drive Phishing - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Google Drive Phishing

In the past we have seen malware being delivered via Google Docs. You would receive an email stating that a document had been shared and when you clicked the link bad things would start to happen.  In recent weeks the same approach has increasingly been used to Phish.  You would receive an email along these lines: 

We sent you an attachment about your booking using Google Drive
I have sent the attachment for you using Google Drive So Click the Google Drive link below
to view the attachment..
<button>Google Drive</button>

Once the link is clicked you are sent through to a web site where you are presented with the following screen:

Clicking on any of these will ask you for a userid and password for that service.  The link in the email should be easily recognised by people as obviously not being a Google link, but many still do not check this.  If you are doing an awareness campaign or reminder, maybe include some info on recognising phishing links. 








392 Posts
ISC Handler
Nov 13th 2013
I've run into this one repeatedly in the last several months. The Emerging Threats NIDS rules 2015910-2015914 have been doing a good job catching the exfiltration of stolen email credentials related to this particular phish. In my most recent incident with this, the affected user reported that upon entering his Gmail credentials into the fake Google Docs logon, he was actually passed through to the real Google Docs and was automatically logged in with the stolen credentials. He did not have a clue that he had just been phished!

Kevin Branch
Branch Network Consulting
Do we have any additional information about this? attachment name? known links/URLs being used?


I saw one today with this URL:

One of our employees received one in June, and I've included a link to a small write-up of what it seemed to do (including the URL, filenames, etc it was using).
Hopefully it includes something helpful, Robbie!

-- Jason Rush
Jason Rush

1 Posts

Sign Up for Free or Log In to start participating in the conversation!