The Google for Education Community Platform

alexgrutza · ‎09-05-2023

I'm not sure what it means overall (probably that these entities have a compromised account) but it's rather annoying when external schools send Google Docs to some of our users like "Document shared with you 'Employee Form.docx'"

How do you normally handle these? So far I've Googled their IT Director or similar positions notifying them of the potential compromised accounts. I never hear back. Otherwise if I can't find an IT resource, if the schools website has a "Contact Us" I let them know via that.

I've also recently even been receiving these type of emails (Google Docs shared/notifications) to my personal Gmail account. I hope Google knows that it's probably one of the largest distributors of Spam and Phishing attempts out there...you'd think they'd somehow combat this type of stuff.

/End rant

--
CISSP | LinkedIn | @Phyxiis

Kim_Nilsson · ‎09-05-2023

Reporting it to the IT of the offending organisation is the best approach.

One can, of course, also email the offending account, as they may not be aware of the breach of their account.

I've over the years received masses of attempts using OneDrive as storage. Very few using Google Drive.

IT not responding to a breach is very poor form. I'd be very happy if someone informed me of such a situation.

--
https://wheretofind.me/@NoSubstitute

alexgrutza · ‎09-05-2023

Part of me thinks replying/emailing the individual back may also notify the bad-actors which in turn may attempt to do further harm (more emails, cover tracks, etc.), hence my reasoning to only go to their IT department so they can get any logs they may need.

I can see your point though as most likely they're totally unaware. We're a part of an ISAC group and receive periodic compromised account passwords lists/alerts, which is beneficial for our own users.

--
CISSP | LinkedIn | @Phyxiis

Kim_Nilsson · ‎09-05-2023

Yup, that could also happen, but if the IT person doesn't get back to you, I wouldn't let the account keep spamming your users. If it's completely unrelated, then you can of course block it in Compliance or Routing.

--
https://wheretofind.me/@NoSubstitute

alexgrutza · ‎09-05-2023

That is a valid point as well. I've created a compliance rule for another school that seems to be a frequent target to drop emails if from specific domain and subject contains XYZ. Can't full out block them because they appear to have actual communication with our institution.

I guess I my expectations might be too high, expecting a response of some kind 😐

--
CISSP | LinkedIn | @Phyxiis

JimmyR · ‎09-05-2023

We typically reach out to the IT Director and so far, that has worked well for us. This happened to us as well and like Kim said, we were really happy that a nearby school let us know that one of our accounts had been compromised. It's definitely frustrating though!

MattDPenn · ‎09-06-2023

Are you notifying them via email or by phone? If the attempts stop then I'd assume they've taken care of things but might not hurt to reach out again, preferably by phone, to double check.

If it's a continuous issue and you keep getting no response then mayhaps it would be appropriate to start contacting front office/other administration members?

alexgrutza · ‎09-06-2023

I have only done email, but my manager has done phone calls. For one particular district/charter in Texas, it's a different account every few months.

More or less just venting

--
CISSP | LinkedIn | @Phyxiis

MattDPenn · ‎09-06-2023

Might be worth looking into if there's a group/org to report them to. Like county level offices or something but I have no idea what the set up in Texas is like outside of what I hear in the news.

If there are some legitimate emails flowing between your schools (as mentioned in one of your replies) it might still be worth doing a full block of the domain so that the people that were communicating are forced to reach out via phone and maybe their complaints would help apply pressure. At the end of the day you gotta protect your users.

alexgrutza · ‎09-26-2023

Edit: they have another compromised account that sent us a Drive document

Update and I'm not sure it'll resolve the problem since it's a Drive sharing issue, not necessarily a Gmail issue:

In Gmail Compliance, I've blocked anything containing @domain.tld (obviously substituted the real domain) of this school district. I've also went to their website and submitted a complaint via the "Contact us" page.

If there is a way to block all external domains from sharing stuff with us, is that possible via the Drive -> Sharing Settings -> Sharing Options -> ALLOWLISTED DOMAINS? If we change to the ALLOWELISTED DOMAINS, does that mean external entities not in the ALLOWLIST will be denied?

Google really has to do something. Not only are they the largest spam filtering company, they're also one of the largest proliferators of spam...

--
CISSP | LinkedIn | @Phyxiis

Kim_Nilsson · ‎09-26-2023

Yes, switching to allowlisted domains will accomplish exactly that, but only for outgoing sharing.

Just like there is a setting when allowing all sharing, there's one for incoming sharing in the Allowed Domains section. You need to untick that box.

Block incoming sharing from unknown sources.

Then no unknown incoming sharing will be allowed.

This can be set for the students' OU only, if you want, and even for a Group.

--
https://wheretofind.me/@NoSubstitute

alexgrutza · ‎09-27-2023

Perfect. We just put in on our change board for next week to discuss changing to this setting. The uptick in these successful Drive phishing attempts has increased and since Google isn't able/willing to help (via opening a case and providing all sorts of evidence and data), this is the only option we have to protect our users from a technical aspect

--
CISSP | LinkedIn | @Phyxiis

The Google for Education Community Platform

[Rant] Really annoying phishing attempts