A new phishing campaign has been detected that uses Google Drive links to avoid detection by Office 365 Exchange Online Protection and ensure messages are delivered to inboxes.

web protection

The emails, reported through Cofense Intelligence, impersonated the CEO of the company who was attempting to share an important document. The document had been shared via Google Drive and came with the message, “Important message from – CEO.”

Google Drive allows files and collaboration requests to be easily sent to other individuals. The account holder chooses who to share a file with and the system generates an email alert containing a link to the shared file.

In this case, the name of the CEO was correct, but the email address used was different to the format used by the company. While this is a clear sign that the emails are not what they seem, some employees would likely be fooled by the message.

Importantly, the messages are not detected as malicious by EOP and are delivered to inboxes. A scan of the message would reveal nothing untoward, as the embedded URL is a legitimate shared link to a genuine cloud service operated by Google.

The shared document itself is not malicious, but it does link to another Google Docs document and a phishing URL. Any anti-phishing solution that only assesses the embedded hyperlink in the email to determine whether it is malicious would allow the email to be delivered. Only a deeper inspection would reveal the true nature of the URL.

If the link is visited by an end user, a fake login window is presented. If login credentials are entered, they are captured and stored on the attacker’s server.

This campaign highlights the importance of multi-layered anti-phishing defenses and the risks of relying on EOP to provide protection against phishing attacks.

An advanced spam filtering solution should be implemented on top of Office 365 to provide greater protection from phishing and other email-based attacks. This will ensure more sophisticated phishing attacks are blocked.

If a malicious message is delivered and a link is clicked, the connection to the malicious webpage could be blocked using a web filtering solution.

WebTitan is a DNS-based content filtering solution that serves as an additional layer in organization’s anti-phishing defenses.  Should an attempt be made by an employee to visit a malicious website or suspicious domain, the attempt would be blocked before any content is downloaded. WebTitan assesses each website when the DNS query is made. Malicious websites and those that violate an organization’s content control policies are blocked.

To find out more about how a DNS filter can improve your defenses against phishing attacks and malware downloads, contact TitanHQ today.