Skip to main content


Splunk Lantern

Investigating Gsuite phishing attacks


You work for an organization that has migrated to Gsuite for their web application-based services, file storage, email, calendar, and other channels. Some employees have recently reported receiving suspicious-looking files delivered over GSuite Drive file-sharing, using documents branded with prominent financial institution's logos that prompt them to click links and share information.

Some of the attempts to deliver files are being sent without an accompanying notification email, causing your users to believe that the files in their Google Drive were shared by someone they know. The attackers are also using a range of methods to try to deliver their files, including text message.

You can't react to this effectively by placing source domain restrictions because it is impossible to block every possible malicious domain from sharing files. Even with imposing these and other restrictions such as service providers, types of documents, or even message analysis, you're finding it difficult to detect these attacks.

Required data

Google Workspace

How to use Splunk software for this use case

Depending on what information you have available, you might find it useful to identify some or all of the following: 

Next steps

If you are experiencing a case of spear or targeted phishing, these searches can help you, however further analysis and compensating detections are required in order to narrow the search for the source of the attack. 

The content in this guide comes from a previously published blog, one of the thousands of Splunk resources available to help users succeed. In addition, these Splunk resources might help you understand and implement this use case:

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at if you require assistance.