Investigating Gsuite phishing attacks
You work for an organization that has migrated to Gsuite for their web application-based services, file storage, email, calendar, and other channels. Some employees have recently reported receiving suspicious-looking files delivered over GSuite Drive file-sharing, using documents branded with prominent financial institution's logos that prompt them to click links and share information.
Some of the attempts to deliver files are being sent without an accompanying notification email, causing your users to believe that the files in their Google Drive were shared by someone they know. The attackers are also using a range of methods to try to deliver their files, including text message.
You can't react to this effectively by placing source domain restrictions because it is impossible to block every possible malicious domain from sharing files. Even with imposing these and other restrictions such as service providers, types of documents, or even message analysis, you're finding it difficult to detect these attacks.
How to use Splunk software for this use case
To deploy this use case, make sure that you have the Splunk ES Content Updates installed on your Splunk Enterprise Security deployment. This extensive content library empowers you to deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture. If you do not have Splunk Enterprise Security, these detections will still give you an idea of what you can accomplish with SPL in the Splunk platform or with the free app, Splunk Security Essentials.
Some of the detections that can help you with this use case include:
If you are experiencing a case of spear or targeted phishing, these searches can help you, however further analysis and compensating detections are required in order to narrow the search for the source of the attack.
Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.
If you are a Splunk Enterprise Security customer, you can also get help from the Security Research team's support options on GitHub.
In addition, the following resources can help you with this use case: