Google Docs (MALWARE follow up)

A general thanks to GSuite admins & Google

First, I wanted to thank the internet at large for the quick and active communication to the malware email issue that occurred Wednesday afternoon (ET).

I followed many various threads to address this issue and wanted to share with you all what was done from a Google Admin side to mitigate the issue:

The data flow

The first email arrived to my Friends Seminary account around 2:30pm from a vendor. Since we do not use the software, I disregarded it assuming a mistake on the senders side and moved on BUT that quickly changed.

In the next 15 minutes I had received three more messages with the same body, from email address and “Google Doc” file — seemed to be an issue. This was quickly followed by calls on the radio, tech phone line and more individual emails.

  • Using the Google Admin tool I began working on quarantining the message. I was still trying to address if the message was coming from a standard email, domain or user to manage the flow.
  • Within Google Apps>Gmail I added a quarantine (just called it 20170503). This just give a bucket for the emails to go when they are quarantined.
  • The actual search phrase needs to be defined and assigned to the quarantine from Advanced Settings.
  • I set a Blocked Sender (using the hhhhhhhhhhhhhhhh@mailinator.com address AND mailinator.com domain)
  • I set a Content Compliance rule using the following criteria (to keep emails from passing internally & sending outside). Inbound, Outbound, Internal-Sending, Internal-Receiving and had it match ANY expression “hhhhhhhhhhhhhhhh@mailinator.com”. I then pointed the messages to the above 20170503 quarantine location.

The above was a sledgehammer approach, but seemed warranted as I saw the growing news and comments on the internet. This also gave me some time to slow a bit, read and then work on next steps.

By this time, they had confirmed that all emails were coming from “hhhhhhhhhhhhhhhh@mailinator.com” and the method was granting access to a third-party app called “Google Docs” which then replicated itself using the “new” users contact list.

After reading some comments online, Google Admin tools can assist in searching for a third-party app in the user’s accounts but provided no way to block, remove or revoke the app. Enter BetterCloud.

I have been using BetterCloud for a number of years to assist with managing our user base (OnBoarding, management and user updates as well as deprovisioning accounts). With their new Workflow solutions, I’m even more interested (but I digress). This offered me the ability to check the connected Apps (globally in all 1500+ accounts) and search for Google Docs.

  • BetterCloud>Google Apps>Audit to get to the area to search for connected apps within Google
  • Filter based on App Name — All Apps (in this case Google Docs)
  • Select ALL and Blacklist

This area of BetterCloud I was very unfamiliar with so required a bit of testing but showed about 30 users had granted the app access.

I’m reviewing BetterCloud and our domain at this time to see if creating a policy would make sense (to protect against this in the future). This could be set to wait for approval if an app is looking for certain concerning permissions (sending emails on behalf or access to read/write to Google Drive).

Friends Seminary Google Docs by the numbers:

  • First email seen by tech 2:30pm
  • Response started by tech around 2:45pm with the quarantine steps & blocked all emails from the known address
  • By 3pm we had locked down the internal & external sending
  • By 4pm we only saw 61 emails in our quarantine
  • When revoking the Google Docs app, we only had about 40 users showing they had granted access to the app
  • By 4:30pm Google had addressed the issue on their side to revoke the app and certificates as well as blocking the emails and backend side

Some additional main-stream media news coverage on this malware:

If anyone has comments, suggestions or things they did (or would have suggest I would do), let me know.

[20170505 UPDATED]
From Google regarding the attack, process and their response.