Skip to main content

 

Splunk Lantern

Gsuite calendar invite sharing detection

​You might need to detect Gsuite calendar invite sharing when doing the following:

Prerequisites 

To succeed in implementing this use case, you need the following dependencies, resources, and information.

This type of attack vector requires a logging infrastructure in place configured to ingest Gsuite logs, specifically configured to look at different elements including visibility, owner, and target user parameters. You can view the range of parameters used in these searches here.

Example

Attackers may make phishing attempts via rogue calendar invites. In this use case, the attacker sends multiple invitations via Google Calendar, sometimes with a document attachment. In this case the bad actors often send the calendar invites out in large quantities. This search is designed to detect such scenarios.

To optimize the search shown below, you should specify an index and a time range. In addition, many of these searches have to be adjusted per specific environments and specific findings behind a detection, hunt policy which can be customized per timeframe, subdomains, or organizational units. 

  1. Run the following search:
sourcetype"gsuite:calendar:json" email=[username] parameters.target_calendar_id > 1 
| stats count BY ip_address email parameters.api_kind parameters.organizer_calendar_id 
parameters.target_calendar_id parameters.event.title

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
sourcetype"gsuite:calendar:json" email=[username]

Search for invitations directed to specific users.

If you use [*] within username, you can find all users.

parameters.target_calendar_id > 1  Search for the number of invitations sent.
| stats count BY ip_address email parameters.api_kind parameters.organizer_calendar_id parameters.target_calendar_id parameters.event.title Search for number of parameters.target_calendar_id, event title (parameters.event_title), number of invitations and information from fields such as “name” which contain evens like add_event_guest or create_event.  (if you sort count in descending order, the big numbers are the ones to investigate)

Result

If this search returns a large number of invitations sent, this is potentially suspicious. Ensure you continue to troubleshoot other methods for detecting Gsuite phishing attacks.

If you are experiencing a case of spear or targeted phishing, this search can help you, however further analysis and compensating detections are required in order to narrow the search for the source of the attack.