Re: Today's Google Docs phish

Wed, 03 May 2017 19:11:58 -0700 

On Wed, 3 May 2017, Alex wrote:


If you haven't heard, there was a huge Google Docs phishing attack
today.


Our IT department actually warned us of this one...


I wanted to provide an example in case it helps, even though chances
are the campaign is dead. We've seen Google proxy and redirect attacks
before and will probably see them again.

https://pastebin.com/aWVaMMni


Thanks.


Other emails hit RCVD_IN_DNSWL_HI which subtracts 5 points.



It apparently includes resending from the victim, so possibly you got some 
copies from victims in trusted domains.



What is the UNPARSEABLE_RELAY? It's in virtually every one of these.



One of the Received: headers' format is is unrecognized. I'll let someone 
else analyze that in detail.



The LOC_FRAUD_DOC is a local rule and the LOC_URI_RARE_TLD was for
'.pro' from John's rules some time ago. They're only scored at 0.6.

Obviously training these would be enough to put them over to spam, but
would someone like to look at the URI in the body to create a possible
rule?


That's easy:

  uri  GOOG_ACCT_MGT_URI  m,://accounts.google.com/,i


(That's off the top of my head and untested, so there might be 
embarrassing stuff like simple syntax errors... :) )



It's likely Google is looking at this more closely - do you
think they will put an end to the redirect that's being used?


Maybe, but that's whack-a-mole.


Should the score for .pro domains and other rare TLDs be higher?


Do you get any legit mail from those domains?


--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Justice is justice, whereas "social justice" is code for one set
  of rules for the rich, another for the poor; one set for whites,
  another set for minorities; one set for straight men, another for
  women and gays. In short, it's the opposite of actual justice.
                                                    -- Burt Prelutsky
-----------------------------------------------------------------------
 5 days until the 72nd anniversary of VE day






















					Reply via email to