topic Blocking or filtering emails sent to "undisclosed-recipients:;" in Peer-Peer Topics

Blocking or filtering emails sent to "undisclosed-recipients:;"

alexgrutza — Tue, 19 Sep 2023 12:45:02 GMT

Within the past two months we've had to of our users have their accounts send several hundred/thousands of emails that are clearly phishing emails from some threat, not the actual user.

I've opened a case with Google to see if they can tell us if it's one of the person's 3rd party apps doing this, or any other information would help us.

While I wait to hear back from them, I'm wondering if there is a way to block (pros/cons) the "To:" field containing following:

undisclosed-recipients:;

Looking at the raw headers, that is in the To: field which lines up with hundreds/thousands of our users receiving these emails. My understanding is that these emails/this field is related to the BCC field, which may cause issues if we block it.

All headers and the like point back to it not being spoofed, and legitimately coming from the Google account. We have IMAP/Pop disabled for all users so it couldn't be someone signing into Outlook for example (me being naive?...)

Re: Blocking or filtering emails sent to "undisclosed-recipients:;"

Kim_Nilsson — Tue, 19 Sep 2023 14:24:13 GMT

Yes, you can block that with a Content Compliance rule.

With Modern Authentication and direct API access some email clients can work without IMAP/POP.

Re: Blocking or filtering emails sent to "undisclosed-recipients:;"

Bill_Gibson — Tue, 19 Sep 2023 15:18:35 GMT

Was this situation brought to your attention by Google taking action on their accounts, or is there a way you were able to identify these accounts?

Re: Blocking or filtering emails sent to "undisclosed-recipients:;"

alexgrutza — Tue, 19 Sep 2023 15:59:43 GMT

No, an end-user informed us of the suspicious email, which we investigated and indeed the account did send several hundred emails. However, a month or two ago, Google did suspend a different account sending similar phishing emails because due to rate limiting. That one was brought up via the Google Alert Center, but this one is from an end-user.

Google did not see any suspicious logins for the sender, and asked for an EML file so they can investigate further. Haven't heard back since providing them the EML file.

Re: Blocking or filtering emails sent to "undisclosed-recipients:;"

alexgrutza — Tue, 19 Sep 2023 16:02:13 GMT

Thanks, that's good to know. I'm leaning more towards content compliance being a "con" because there may be legitimate emails that are sent to "undisclosed-recipients", which would then be blocked. A never ending battle...

I did mention that we should investigate changing the 3rd party app rules as maybe that's causing this. We currently don't limit the 3rd party app access at all...So I'm hoping these type of events help change that posture.