This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ Log in to ask a question

Blocking or filtering emails sent to "undisclosed-recipients:;"

alexgrutza
Contributor III

‎09-19-2023 05:45 AM

Within the past two months we've had to of our users have their accounts send several hundred/thousands of emails that are clearly phishing emails from some threat, not the actual user.

I've opened a case with Google to see if they can tell us if it's one of the person's 3rd party apps doing this, or any other information would help us. 

While I wait to hear back from them, I'm wondering if there is a way to block (pros/cons) the "To:" field containing following:

undisclosed-recipients:; 

Looking at the raw headers, that is in the To: field which lines up with hundreds/thousands of our users receiving these emails. My understanding is that these emails/this field is related to the BCC field, which may cause issues if we block it.

All headers and the like point back to it not being spoofed, and legitimately coming from the Google account. We have IMAP/Pop disabled for all users so it couldn't be someone signing into Outlook for example (me being naive?...)

 

 

--
CISSP | LinkedIn | @Phyxiis
Topics:
0 Kudos
Reply
4 REPLIES 4

Kim_Nilsson
Admin Moderator

‎09-19-2023 07:24 AM

Yes, you can block that with a Content Compliance rule.

With Modern Authentication and direct API access some email clients can work without IMAP/POP.

--
https://wheretofind.me/@NoSubstitute
0 Kudos
Reply

alexgrutza
Contributor III
In response to Kim_Nilsson

‎09-19-2023 09:02 AM

Thanks, that's good to know. I'm leaning more towards content compliance being a "con" because there may be legitimate emails that are sent to "undisclosed-recipients", which would then be blocked. A never ending battle...

I did mention that we should investigate changing the 3rd party app rules as maybe that's causing this. We currently don't limit the 3rd party app access at all...So I'm hoping these type of events help change that posture.

--
CISSP | LinkedIn | @Phyxiis
0 Kudos
Reply

Bill_Gibson
Contributor III

‎09-19-2023 08:18 AM

Was this situation brought to your attention by Google taking action on their accounts, or is there a way you were able to identify these accounts?

0 Kudos
Reply

alexgrutza
Contributor III
In response to Bill_Gibson

‎09-19-2023 08:59 AM

No, an end-user informed us of the suspicious email, which we investigated and indeed the account did send several hundred emails. However, a month or two ago, Google did suspend a different account sending similar phishing emails because due to rate limiting. That one was brought up via the Google Alert Center, but this one is from an end-user.

Google did not see any suspicious logins for the sender, and asked for an EML file so they can investigate further. Haven't heard back since providing them the EML file.

--
CISSP | LinkedIn | @Phyxiis
0 Kudos
Reply
  • © 2023 Google. All rights reserved.
  • Privacy Policy
  • Terms of Service
  • Community Guidelines