Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Attack lab: Spear Phishing with Google Drive Sharing

Follow along as we show you how scammers are spear phishing with Google Drive sharing to avoid traditonal SPAM filters in Gmail that catch their scams
Nathan Coppinger
4 min read
Published March 2, 2021
Last updated July 7, 2023

Phishing scams are as old as the internet—tricking victims into divulging important information about themselves and their accounts. These scams are so common that all of the major email providers have built-in anti-phishing features. Improved email security has forced hackers to get creative when it comes to getting their malicious links to hit the inbox.

Discover your weak points and strengthen your resilience: Run a Free Ransomware Readiness Test

However, crafty scammers are now spear phishing with Google Drive’s sharing features to send emails with links to infected documents to their targets. These email notifications include a note and a link asking the victim to click the included link to sign in to their Google account to collaborate on a project or fill out official HR forms.

Much like typical spear-phishing campaigns, Google Drive attackers will create a fake email address to impersonate an individual or department that the target will recognize. But instead of using a low reputation sending domain that’ll trigger SPAM filters, they’re using Google’s own infrastructure. As a result, the victim’s mail provider has a much harder time differentiating these emails from legitimate ones sent by trusted sources.

These attacks are targeting individuals and enterprises alike. According to Wired, there have been instances of a single document from a Russian source being copied and edited multiple times in an attempt to lure new victims with each iteration.

Let’s go on a Phishing trip

For the purpose of this spear phishing with Google Drive walkthrough, we will be posing as (fake) Varonis executive Mike T. Kettle to ask an unsuspecting Varonis employee to sign into their employee account to help him with an important project.

When sharing these fake documents, the first step the imposter takes will usually be unchecking the box that sends an email notification.

The reason for this step is if they notify their target via email, the “from” address in the notification message may tip them off to the ruse. Below you can see an obviously fake email attached to the notification, that would be obvious to any user that it is fake, regardless of it being sent from a generic Gmail account.

phishing message gets sorted into SPAMHowever, more crafty spear-phishers might make their address MikeTKettle@gmail.com (if available) and leave their notifications on, tricking some less savvy users into clicking on the document coming from a familiar name without thinking twice about it being sent from a generic domain rather than an official company domain.

Since the scammers disable the email notification, they will have to leave their hook in the water for a while, as they are banking on users stumbling upon the document the next time they are browsing their Google Drive.

In our example, you can see the fraudulent document has appeared directly in the unsuspecting victim’s “My Drive” and only presents the sender’s name. The suspicious email address is nowhere in sight.

Only the name appears when documents are shared not an email

Once users open the shared document, they are presented with a large tempting blue link claiming to take our Varonis user to an important document from Mike himself, and it will reroute users to an external site or document.

For this example, “Mike’s” link will take users that click on it to a very convincing spoofed Varonis landing page, asking for login credentials to gain access to the shared document.

Once users click login, the attackers will now have their credentials saved, and the button will then spit them back out to the Varonis homepage (or any page the hacker linked to the login button). Now our victim’s account has been compromised, and are left confused about why they weren’t taken to the important document that Mike needed help editing.

Many off-the-shelf tools, such as Evilginx, help you craft amazing-looking phishing pages… for running phishing simulations, of course.

In real-world examples of this scam, the links included in these forms can take users to a number of different locations depending on the scammers’ end-goal. Users might see a similarly well-crafted fake landing page asking for credentials to log into a familiar service, while others might be directed to a Google form requesting users to fill in a survey, attempting to get users to divulge sensitive details like answers to common security questions.

Fake google forms

How to Mitigate Google Drive Phishing Risk

Currently, defending against this scam can be challenging. Google is doing their best to combat this technique, but unlike in Gmail, they have yet to be able to implement a SPAM filter directly into Google Drive to catch these documents. Hence, the burden of defense falls on the targeted individuals and organizations.

As with all phishing scams, traditional or otherwise, the first line of defense is education. Educating your organization on the signs of spear phishing with Google Drive sharing is imperative to protecting users and their sensitive information. Users should know to not click on any suspicious links or enter any personal information that doesn’t come from your organization’s official lines of contact.

Organizations can also take a proactive approach against these scammers by implementing tighter control over which types of external vendors and users can email and share documents to internal users. Filtering your external vendor list down to only trusted vendors will help stop these documents from showing up in users’ Drive folders.

Security teams can set up “allow-lists” in Google that set permissions to only allow specific external contacts to share files and documents with users on your network. But setting up comprehensive allow-lists can be an arduous process that proves challenging to maintain for most. They can adversely affect your business if legitimate external vendors not on your list are trying to contact you only to be filtered out.

Taking these steps to protect your organization is vital to security, but they can only go so far. Implementing third-party threat detection and response software to help secure your environment from threats and monitor their users’ Google Drive accounts can be highly effective when it comes to defending against phishing scams.

Solutions like Polyrize and Varonis can help alert on suspicious activity both on-premises and in the cloud, flagging suspicious documents and email addresses being shared, and notify security teams to take action if anything has been compromised. Suppose a user does, unfortunately, fall for one of these scams and enters their credentials or sensitive information. In that case, Varonis can monitor for unusual behavior on your network and automatically flag this suspicious activity, shutting down user sessions and changing passwords to help mitigate any potential damage done by an attacker.

To learn more about how these attacks carried out in real-time, register for one of our Attack-Lab simulations to see our experts walk through through common cyberattacks and discuss how to properly defend against these malicious entities.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

how-honeypots-unmask-hackers-&-scammers-online
How Honeypots Unmask Hackers & Scammers Online
How defenders use honeypots to unmask hackers, scammers, and internet catfish with tracking links
varonis-in-the-cloud:-building-a-secure-and-scalable-data-security-platform
Varonis in the Cloud: Building a Secure and Scalable Data Security Platform
How we built our cloud-native SaaS platform for scalability and security—without taking any shortcuts.
identify-and-investigate-business-email-compromise-(bec)-scams
Identify and Investigate Business Email Compromise (BEC) Scams
In this post, we'll review how to spot Business Email Compromise Scams and walk you through an investigation with Varonis.
securityrwd-–-github-secret-scanning-could-create-false-sense-of-security
SecurityRWD – GitHub Secret-Scanning Could Create False Sense of Security
Microsoft recently announced they would be adding another layer of security to their popular code repository, GitHub, by scanning for "secrets" (API tokens, access keys, etc. inadvertently saved in the platform). However, as Kilian Englert and Ryan O'Boyle from the Varonis Cloud Architecture team discuss, this positive first step shouldn't lull developers into a false sense of security. Listen in to hear why it's so important not to let your guard down when securing critical cloud apps and data.