Removing a shared Google Doc, containing a malicious link, for all users using GAM

[Nathan Kuhl]

Here's the situation: An external Google account shares a Google Doc with a number of our users containing a malicious link that intends on stealing login credentials.

I want to be able to use GAM to remove this file from the user's Google Drive but I can't figure out how to do it. If we navigate to Google Drive, right-click on the "shared with me file", then we can deleted it by clicking REMOVE. This moves it to the trash.

Is there a way to do this in GAM? Every time I try to run the following command, I get this:

Command: gam user us...@email.com delete drivefile (driveFileID)

Output: <HttpError 403 when requesting https://www.googleapis.com/drive/v2/files/1aIUl4GIr58Puiv9RW_Gh9uIob3pQ9zgIbMGMzxhSH64/trash?supportsAllDrives=true&alt=json returned "Insufficient permissions for this file". Details: "[{'domain': 'global', 'reason': 'forbidden', 'message': 'Insufficient permissions for this file', 'locationType': 'other', 'location': 'file.permissions'}]">

[Jay Lee]

Your best bet is to train users how to report these docs as malicious. Trying to blocklist them one by one is like fighting a forest fire with a syringe for a hose...

https://support.google.com/docs/answer/2463296?hl=en#:~:text=Google%20Docs%2C%20Sheets%2C%20or%20Slides&text=Select%20Report%20abuse.,Click%20Submit%20Abuse%20Report.

Jay Lee

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/894fa91f-a4aa-47e2-a8d1-279bf6af2715n%40googlegroups.com.

[Nathan Kuhl]

In an ideal world, yes. But you wouldn't believe how many employees clicked on a shared google doc this morning, with the title 22-23 Employee Salaries, and then proceeded to click on the malicious embedded link and give away their credentials. The problem is that I need to reach in and remove this file from their shared with me view in Google Drive.

[David Walton]

Hi Nathan,

I don't know about an effective way to remove this doc from user's Google Drive, but you should be able to work with your Network admins to redirect whatever URL is in that doc to a DNS sinkhole (or, even better, a page with training on phishing attacks).

Of course, the attackers could just change the URL in the malicious doc, but they won't know what you've done, and by the time they realize it the doc will probably be off of people's radar.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/35c0b3b9-8699-4d69-85a5-07e7a250b7bbn%40googlegroups.com.

--

David Walton

Information Security Analyst

(562) 944-0351 ext. 5165

[Nathan Kuhl]

If a file is shared with me, it shows up in Google Docs automatically. Since I don't own the file, the gam user delete drivefile command does not work. However, in Google Drive, there's a Remove option for each file. This removes the file from being shared with me, and it disappears from my view. This is what I need GAM to be able to do. Is there a REMOVE command that can be leveraged in the API?

[Jay Lee]

In the UI you aren't removing any permissions, you're only removing the file from your own view. Users still have access to the file 

There's no API access to removing that view so no way GAM can do it. Even if you could how trivial would it be for the attacker to copy the doc and get a new URL you aren't blocking? 

I'd suggest focusing on 1) user phishing training and 2) tools like two step authentication and the password alert extension which can prevent successful phishing attacks:

https://support.google.com/a/answer/6197480?hl=en

Jay

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/6a4b6513-1790-48ae-903b-a9eeba0da863n%40googlegroups.com.