Re: Standard practice
Unfortunately that wouldn't work for a lot of organizations that are using Google Drive to store information. Just this morning I had to submit a couple inventory reports by filling out a form hosted on the company's Google Docs pages. HR also regularly sends out announcements by sharing a link to Google Docs.
I've worked with a dozen or so organizations like this and I doubt I just got lucky and hit the few orgs that work that way.
And, really, the only way to tell the difference between a legitimate google docs attachment and one from scammers is by looking at the UUID embedded in the link URL and checking to see if it matches the UUID assigned to a legitimate user. Which also assumes that the user hasn't had their UUID changed due to be moved to a different version of the service or some other random action that caused it to change.
Really, the issue here is that instead of the attack purporting to be from hr.internal.company.com but coming from hr.internal.company.com-totally-legit-url.ru. It is now purporting to come from drive.google.com/1234-abcdef0-7894-ac43-12fc390/docs/files/ but really coming from drive.google.com/4567-ffecba12-23e4-23fa-bcce12f/docs/files
Biting the hand that feeds IT
