Attackers may make phishing attempts via rogue calendar invites. In this use case, the attacker sends multiple invitations via Google Calendar, sometimes with a document attachment. In this case the bad actors often send the calendar invites out in large quantities. This search is designed to detect such scenarios.
This type of attack vector requires a logging infrastructure in place configured to ingest Gsuite logs, specifically configured to look at different elements including visibility, owner, and target user parameters. You can view the range of parameters used in these searches here.
This search might have to be adjusted per specific environments and specific findings behind a detection, hunt policy which can be customized per timeframe, subdomains, or organizational units.
Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype"gsuite:calendar:json" email=[username] parameters.target_calendar_id > 1 | stats count BY ip_address email parameters.api_kind parameters.organizer_calendar_id parameters.target_calendar_id parameters.event.title
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Search for invitations directed to specific users.
If you use [*] within username, you can find all users.
|parameters.target_calendar_id > 1||Search for the number of invitations sent.|
|| stats count BY ip_address email parameters.api_kind parameters.organizer_calendar_id parameters.target_calendar_id parameters.event.title||Search for number of parameters.target_calendar_id, event title (parameters.event_title), number of invitations and information from fields such as “name” which contain evens like add_event_guest or create_event. (if you sort count in descending order, the big numbers are the ones to investigate)|
If this search returns a large number of invitations sent, this is potentially suspicious. Ensure you continue to troubleshoot other methods for detecting Gsuite phishing attacks.
If you are experiencing a case of spear or targeted phishing, this search can help you, however further analysis and compensating detections are required in order to narrow the search for the source of the attack.
Finally, you might be interested in other processes associated with the Detecting Gsuite phishing attacks use case.