Hunting Google Drive Phishing

Over the last month I’ve observered a sharp increase in phishing emails coming from Google Drive. The threat actor shares a file through Google Drive to the victim. As a result the email sender is [email protected] and the sender display name is Something (via Google Drive) where something is the organization they are trying to simulate, Wells Fargo, Coinbase, US Bank, etc. They’ve been particularly hard to block due to the legit nature of Google Drive but I found a way of fingerprinting them fairly well. In every case I’ve seen the sender display name contains Cyrillic characters and as a result searching for emails from Google Drive with Cyrillic in the display name provides a list of suspect emails. Use the following Kusto query to search your emails in either Azure Sentinel or Microsoft Defender Advanced hunting.

EmailEvents
| where SenderFromAddress == "[email protected]"
  and SenderDisplayName matches regex "[\\p{Cyrillic}]"

Using this query you can also replace Cyrillic with other class names from the re2 syntax guide.