• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Threats

Detecting the Google Docs Phishing Attack Using Traffic Analysis

By Brad Antoniewicz
Posted on May 4, 2017
Updated on March 3, 2020

Share

FacebookTweetLinkedIn

The massive phishing attack disguising itself as a Google Docs sharing request is dominating headlines. We’re proud to say that our Sender Rank algorithm detected the attack before the blogs began to roll! Not only that, our unique perspective gives us insight into how successful the attack was. While most reports are looking at the email content itself, our focus is on network traffic, so let’s look there to see the staggering impact of the attack and what Sender Rank looked at to catch it.
 

Timeframe and Domains

Our data shows the attack was mainly concentrated between 2017-05-03 18:00:00 and 2017-05-03 19:00:00, consisting of the following domains that share the lexical attributes doc and cloud among them:

  • gdocs[.]pro
  • gdocs[.]win
  • g-docs[.]pro
  • g-docs[.]win
  • docscloud[.]win
  • docscloud[.]info
  • gdocs[.]download
  • g-cloud[.]pro
  • g-cloud[.]win
  • docscloud[.]download

These domains had another common characteristic: a sharp increase in traffic volume. Further, the volume of traffic for these domains happened as most spam does: i.e. early in the morning and typically blasted. Below is an example (g-docs[.]win) of how the domain is dormant, with little or no query volume, prior to its release:

Domain volume to g-cloud[.]win domain.
 

The Click

The phishing email contains an ‘Open in Docs’ button, which when clicked, sends the user to Google’s OAuth page for authentication and to grant permissions to the victim’s account. In the email we looked at, the URL assigned to the button click contained a redirect parameter, which, once allowed or denied at Google’s OAuth page, would redirect the user to an attacker-controlled website. As identified by our Sender Rank algorithm and confirmed in other articles, the domains listed above were found to be used in this attack, and likely the value of this redirect parameter.

Impact

The button and the redirect sequence is particularly noteworthy since, in our testing, the user needs to click the ‘Open in Docs’ button, then either click ‘Allow’ or ‘Deny’ on Google’s OAuth page to contact one of these domains. There also were reports of other variants of the phish that just had a link to the attacker-controlled system. Regardless of how many steps it takes for the user to arrive at the attacker-controlled site, the fact that they always need to click something first makes the query volume particularly staggering. For instance, if we just look at four of the ten domains, we see an approximate average of 15,000 queries:

Query Volumes

 
10 domains averaging 15,000 queries might suggest an upwards of 150,000 of our users actually clicked ‘Open in Docs’. Now, it’s hard to say how many users were affected using DNS data alone. Each DNS query does not equate to a single person, compromise, or even system. Nor does a DNS query mean that the system which queried the domain did so as a result of this attack. That being said, even if the actual number was 1/10th of the query count (which, as we’ll show shortly, is more likely the case), it is still staggering to think that many people let their guard down and clicked away.

Sender Rank

Like all our models, Sender Rank provides visibility into what makes these attacker domains unique. For example, the queries to the attacker-controlled domains were at the same rate as some of the most popular and trusted sites on the internet: apple.com, travelocity.com, and salesforce.com! The following section will break down some of the behavioral attributes that Sender Rank used to detect these attacker domains.

Machine Behavior

A unique perspective we have in attacks like this is the ability to identify the behavior patterns within the queries made to the domains in the campaign. One interesting question you might ask is, what other malicious domains were being queried during the same time frame as these? In the following charts, we highlight a few aggregated metrics that give insight into the domains used in this attack.
First, we can see that there were approximately 1,200 machines querying the three domains at the peak of the attack . This gives us a little more clarity to the impact. The interesting thing here is that machine count was sustained for roughly two hours, then saw a rapid decline in the 3rd hour (a 95% decrease on average).

The number of machines querying these domains

As we alluded to previously, we can also characterize simultaneous queries over the attack time frame. In other words, we can identify if these attacker domains caused additional queries outside of the norm. In the below chart we report the median number of unique queries made in the same hour (we use the median, rather than mean, due to outliers).

The median number of unique queries occurring in the same hour as those made to the attacker controlled domains.

We observe about 100 (or so) unique queries were simultaneously made during the time of the attack. This is an interesting comparison to the first chart since here we don’t see a decline in the 3rd hour of the attack.

The Email Server Ripple

Email servers will often use internet-based block list services when evaluating messages for spam and malicious content. Similar to Sender Rank, email block lists have the ability to aggregate and collate the reactions of a horde of mail servers, giving them a perspective that allows them to recognize large broad campaigns.
In the following table, we show the percentage change in the block list volume for the attacker controlled domains .

Domain 2017-05-03 18:00:00 2017-05-03 19:00:00
docscloud[.]win 509% 4.7%
g-cloud[.]win 537% 1.8%
g-docs[.]win 509% -31.4%

TABLE 1: Percent change from one hour to the next.

To provide additional context, here are a few other domains Sender Rank is tracking (not blocking) with same popularity:

  • bhphotovideo.com
  • googlegroups.com
  • travelocity.com
  • salesforce.com
  • hollisterco.com
  • tumblr.com
  • weebly.com
  • icloud.com
  • blogspot.com
  • office365.com
  • eventbrite.com
  • apple.com

Conclusion

This attack used a common approach to target users accounts in an unsuspecting way and had a staggering impact. We’ll continue to build systems like Sender Rank to quickly detect the next attacks, protect our customers, and keep you informed!

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella