Re: Today's Google Docs phish

Thu, 04 May 2017 00:17:59 -0700 

FTR:
Google closed this hole real fast.
SA's redirect patterns detected these domains and my logs show most were listed by the domain lists within a few minutes. 

On 05/04/2017 03:37 AM, Alex wrote:

Hi,

If you haven't heard, there was a huge Google Docs phishing attack
today. Several hundred bypassed our filters in the hour or so before
we were able to identify them. The To address is always
"hhhhhhhhhhhhh...@mailinator.com" and the subject is always "<User
Name> has shared a document on Google Docs with you" where "user name"
is some random user.

https://www.theatlantic.com/technology/archive/2017/05/did-someone-just-share-a-random-google-doc-with-you/525279/

I wanted to provide an example in case it helps, even though chances
are the campaign is dead. We've seen Google proxy and redirect attacks
before and will probably see them again.

https://pastebin.com/aWVaMMni

I also have a few questions about why it wasn't blocked.

X-Spam-Status: No, score=3.721 tagged_above=-200 required=5
    tests=[BAYES_50=0.8, BODY_NEWDOMAIN_FMBLA=0.1, DKIM_SIGNED=0.1,
    DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DMARC_PASS_NONE=-0.001,
    FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, LOC_FRAUD_DOC=2,
    LOC_URI_RARE_TLD=0.6, RCVD_IN_DNSWL_NONE=-0.0001,
    RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
    RCVD_IN_SENDERSCORE_80_89=-0.2, RCVD_IN_SORBS_SPAM=0.5,
    RELAYCOUNTRY_US=0.01, SPF_PASS=-0.001, T_DMARC_POLICY_NONE=0.01,
    T_DMARC_SIMPLE_DKIM=0.01, T_DMARC_TESTS_PASS=0.01,
    UNPARSEABLE_RELAY=0.001] autolearn=disabled

Other emails hit RCVD_IN_DNSWL_HI which subtracts 5 points.

What is the UNPARSEABLE_RELAY? It's in virtually every one of these.

The LOC_FRAUD_DOC is a local rule and the LOC_URI_RARE_TLD was for
'.pro' from John's rules some time ago. They're only scored at 0.6.

Obviously training these would be enough to put them over to spam, but
would someone like to look at the URI in the body to create a possible
rule? It's likely Google is looking at this more closely - do you
think they will put an end to the redirect that's being used?

Should the score for .pro domains and other rare TLDs be higher?

Have you received any of these? Have you done anything to prevent them
next time or from being received this time?

























					Reply via email to