This guide will walk you through the remediation process after a user receives a phishing link via a google drive share. We have seen a large spike in phishing attempts through google drive shares. These types of attacks are particularly difficult to fully remediate, the steps below should help you get in front of the problem.
STEPS TO TAKE
Block the link to the google drive share on your firewall and or content filter.
Delete the emails containing the share link.
Set up Policies in MM to automatically delete future emails coming from that sender, or containing the link. You can also automatically warn your users when they get these files shares.
WHAT CAN MANAGEDMETHODS DO TO HELP?
Within your ManagedMethods platform, you can find users that have been shared this document on the Drive Files Tab, or within the Live File Search Sub-tab. You cannot delete the files from users "shared with me" folder, limitations will be discussed below.
1) Search for the Name of the Document, or email subject in the Live Email Search, and delete the share notification emails from users inboxes.
2) Create two policies, one to delete emails coming from a specific user, and another to delete emails/files containing the google doc URL. Note that you will need to create a custom risk to look for the URL.
MANAGEDMETHODS LIMITATIONS
Due to the nature of how these phishing links are being sent and received, we are limited (as are all other API based solutions) in the ability to delete these files from users "Shared With Me" folders. This is due to the file being owned by a user outside your domain, that we cannot take actions against. You can find an article here detailing our limitations with files owned by outside users.