Hi, If you haven't heard, there was a huge Google Docs phishing attack today. Several hundred bypassed our filters in the hour or so before we were able to identify them. The To address is always "hhhhhhhhhhhhh...@mailinator.com" and the subject is always "<User Name> has shared a document on Google Docs with you" where "user name" is some random user.
https://www.theatlantic.com/technology/archive/2017/05/did-someone-just-share-a-random-google-doc-with-you/525279/ I wanted to provide an example in case it helps, even though chances are the campaign is dead. We've seen Google proxy and redirect attacks before and will probably see them again. https://pastebin.com/aWVaMMni I also have a few questions about why it wasn't blocked. X-Spam-Status: No, score=3.721 tagged_above=-200 required=5 tests=[BAYES_50=0.8, BODY_NEWDOMAIN_FMBLA=0.1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DMARC_PASS_NONE=-0.001, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, LOC_FRAUD_DOC=2, LOC_URI_RARE_TLD=0.6, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SENDERSCORE_80_89=-0.2, RCVD_IN_SORBS_SPAM=0.5, RELAYCOUNTRY_US=0.01, SPF_PASS=-0.001, T_DMARC_POLICY_NONE=0.01, T_DMARC_SIMPLE_DKIM=0.01, T_DMARC_TESTS_PASS=0.01, UNPARSEABLE_RELAY=0.001] autolearn=disabled Other emails hit RCVD_IN_DNSWL_HI which subtracts 5 points. What is the UNPARSEABLE_RELAY? It's in virtually every one of these. The LOC_FRAUD_DOC is a local rule and the LOC_URI_RARE_TLD was for '.pro' from John's rules some time ago. They're only scored at 0.6. Obviously training these would be enough to put them over to spam, but would someone like to look at the URI in the body to create a possible rule? It's likely Google is looking at this more closely - do you think they will put an end to the redirect that's being used? Should the score for .pro domains and other rare TLDs be higher? Have you received any of these? Have you done anything to prevent them next time or from being received this time?
