This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ Log in to ask a question

Removing Phishing Shared Doc

MattDPenn
Contributor II

‎08-28-2025 01:27 PM

Greetings all,

I managed to catch a email sent to many of my staff early but I cannot for the life of me figure out how to remove shared docs from users Drives in Google Admin. I believe I've correctly deleted the original emails from affected users via Security -> Investigation Tool but when visited a user and checked their "shared with" section the file was still sitting there. Is all I can do is tell people to manually mark it as spam/phishing?

Topics:
Reply
4 REPLIES 4

Olger
New Contributor III

‎08-28-2025 03:54 PM

I realize this doesn't necessarily help you now, but it might be worth considering. We use GAT labs tools (GAT+, GAT Shield, Teacher Assist and GAT Flow). GAT+ is a webUI based tool that has a lot of the same capabilities as GAM (sometimes I think they used GAM as a template and simply built a UI around it and then continued to develop it). With GAT+ you can simply search every My Drive and Shared Drive for files within your Workspace. As an Admin, you can then take owner ship of files in user My Drives and delete those files if necessary. GAT+ is quite extensive. I use GAT+'s reporting capabilities for instance to see what files are being shared between students that do not have a teacher shared as well. It allows me to detect chat documents quite easily.

Or I can search for contacts in users' personal contacts that had something changed, or groups they've created and modify them as needed, without having to go to each user individually.

In your case, you would be able to search for the document names take ownership, remove other permissions in one go (in which case they'd be moved to your My Drive) and either delete them or store them for further investigation.

0 Kudos
Reply

MattDPenn
Contributor II
In response to Olger

‎08-29-2025 07:27 AM

That sounds like it only works if your organization owns the file. This was a file shared in by a external account and as such I don't seem to have any control over it. Frankly I don't even see a report that shows users were "given" access to this file.

0 Kudos
Reply

Bill_Gibson
Contributor III
In response to MattDPenn

‎08-29-2025 07:38 AM

I found a GAM command that gives the file ID if you know the internal/external user, but that's pretty specific...and I can't find how to get it out of the Shared with me section

0 Kudos
Reply

MattDPenn
Contributor II
In response to Bill_Gibson

‎08-29-2025 08:10 AM

From my research and the research of my boss it seems like the only way would be to block all external shares and create a list of domains that are permitted to share into your organization. Which feels like a sledgehammer tactic when we need a scalpel. It baffles me that Google doesn't seem to have added a way to remove externally shared files normally.

0 Kudos
Reply
  • © 2023 Google. All rights reserved.
  • Privacy Policy
  • Terms of Service
  • Community Guidelines