Skip to main content
Splunk Lantern

Gsuite calendar invite sharing detection

Attackers may make phishing attempts via rogue calendar invites. In this use case, the attacker sends multiple invitations via Google Calendar, sometimes with a document attachment. In this case the bad actors often send the calendar invites out in large quantities. This search is designed to detect such scenarios.

Required data

Google Workspace

This type of attack vector requires a logging infrastructure in place configured to ingest Gsuite logs, specifically configured to look at different elements including visibility, owner, and target user parameters. You can view the range of parameters used in these searches here.

Procedure

This search might have to be adjusted per specific environments and specific findings behind a detection, hunt policy which can be customized per timeframe, subdomains, or organizational units. 

Run the following search. You can optimize it by specifying an index and adjusting the time range.

sourcetype"gsuite:calendar:json" email=[username] parameters.target_calendar_id > 1 
| stats count BY ip_address email parameters.api_kind parameters.organizer_calendar_id 
parameters.target_calendar_id parameters.event.title

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
sourcetype"gsuite:calendar:json" email=[username]

Search for invitations directed to specific users.

If you use [*] within username, you can find all users.

parameters.target_calendar_id > 1  Search for the number of invitations sent.
| stats count BY ip_address email parameters.api_kind parameters.organizer_calendar_id parameters.target_calendar_id parameters.event.title Search for number of parameters.target_calendar_id, event title (parameters.event_title), number of invitations and information from fields such as “name” which contain evens like add_event_guest or create_event.  (if you sort count in descending order, the big numbers are the ones to investigate)

Next steps

If this search returns a large number of invitations sent, this is potentially suspicious. Ensure you continue to troubleshoot other methods for detecting Gsuite phishing attacks.

If you are experiencing a case of spear or targeted phishing, this search can help you, however further analysis and compensating detections are required in order to narrow the search for the source of the attack. 

Finally, you might be interested in other processes associated with the Detecting Gsuite phishing attacks use case.