<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Arial",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Arial",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Good afternoon,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>I received this alert from the campus IT Security team, and wanted to pass it along to all of you. Please read carefully and be mindful of this and other similar phishing email scams out there, waiting to trick you into clicking on a suspicious link or attachment that should have been reviewed more carefully. Please pass this message to students in your areas as well, as they may not be as aware of phishing scams as you all are.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>I’m sure IT Security is doing their best to filter out this email from the email server, but let’s do our part by practicing more due diligence to protect ourselves in the meantime.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Kiet Luong<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Director of Engineering Computing<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>College Information Security Officer<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Cullen College of Engineering<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>University of Houston<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Email: KietL@uh.edu<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Voice: 713.743.9974<o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>We did have reports of this message being received here at UH, and at other universities nationwide, but we have no indication of any compromises due to the message here at UH.</span><b><span style='font-size:11.0pt;font-family:"Arial",sans-serif'> <o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>SUBJECT: MS-ISAC CYBER ALERT – Google Docs Phishing Campaigns Targeting MS-ISAC Members</span></b><o:p></o:p></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Arial",sans-serif'> </span></b><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>On May 3, 2017, the Multi-State Information Sharing and Analysis Center (MS-ISAC) received reporting from five states regarding a Google Docs phishing email campaign. The details of the attack are as follows:</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>· The email body states “[name] has invited you to view the following document:” and includes a link to “Open in Docs”. The link opens to a legitimate Google login page.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>· Once the recipients enter their credentials or select an account, a permissions box for a fraudulent application hosted at hxxps://googledocs[.]g-docs[.]win requests access to the user’s address book and email.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>· Once the victim clicks “Allow” this provides the attacker access to their email account and address book but not their calendar. The attacker can then send phishing emails to other targets from the compromised account.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>According to open source reporting, individuals and several private sector entities are receiving these emails as well, and this campaign is not specifically directed at SLTT governments. It is likely that the use of address books results in individuals in similar industries receiving emails from colleagues in their sector. For this reason, many of the phishing emails reported to the MS-ISAC appear to be sent from addresses belonging to state, local, tribal, and territorial (SLTT) government and educational entities. If you receive similar emails, do not click on any links and delete the email immediately.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>Per a trusted third party, Google is aware of the campaign and has identified it as an Oauth exploit. Google has blocked the sender and users should receive the Google 404 error if they click on the link. Google is in the process of shutting down the sender's site.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>RECOMMENDATIONS:</span></b><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>We recommend the following general best practices, to limit the effect of phishing emails and scams on your organization:</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>1. Remind users not to open suspicious emails or attachments, or follow suspicious links, as they may contain malware.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>2. Implement filters at the email gateway to filter out emails with known phishing indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>3. Adhere to the principal of least privilege.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>If a user granted permissions to their account, these permissions can be revoked at the “Connected Apps and Sites” page of Google’s Account Settings. The user’s password should also be reset.</span></b><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>If you experience similar targeting, please report the email to the MS-ISAC SOC at <a href="mailto:SOC@msisac.org">SOC@msisac.org</a>.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>The MS-ISAC is interested in your comments - an anonymous feedback survey is available at: <a href="https://www.surveymonkey.com/r/MSISACProductEvaluation">https://www.surveymonkey.com/r/MSISACProductEvaluation</a>.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>24x7 Security Operations Center</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>Multi-State Information Sharing and Analysis Center (MS-ISAC)</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>31 Tech Valley Drive</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>East Greenbush, NY 12061</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'><a href="mailto:SOC@cisecurity.org">SOC@cisecurity.org</a> - 866.787.4722</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal><a href="https://msisac.cisecurity.org/"><span style='font-size:11.0pt;font-family:"Arial",sans-serif;color:windowtext;text-decoration:none'><img border=0 width=178 height=41 id="Picture_x005f_x0020_15" src="cid:image001.png@01D2C439.2B94D5C0" alt="cid:image001.png@01D2C438.20C94640"></span></a><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'> </span><a href="https://www.facebook.com/CenterforIntSec"><span style='font-size:11.0pt;font-family:"Arial",sans-serif;color:windowtext;text-decoration:none'><img border=0 width=32 height=33 id="Picture_x005f_x0020_14" src="cid:image002.png@01D2C439.2B94D5C0" alt="cid:image002.png@01D2C438.20C94640"></span></a><span style='font-size:11.0pt;font-family:"Arial",sans-serif'> </span><a href="https://twitter.com/CISecurity"><span style='font-size:11.0pt;font-family:"Arial",sans-serif;color:windowtext;text-decoration:none'><img border=0 width=32 height=33 id="Picture_x005f_x0020_13" src="cid:image003.png@01D2C439.2B94D5C0" alt="cid:image003.png@01D2C438.20C94640"></span></a><span style='font-size:11.0pt;font-family:"Arial",sans-serif'> </span><a href="https://www.youtube.com/user/TheCISecurity"><span style='font-size:11.0pt;font-family:"Arial",sans-serif;color:windowtext;text-decoration:none'><img border=0 width=32 height=33 id="Picture_x005f_x0020_12" src="cid:image004.png@01D2C439.2B94D5C0" alt="cid:image004.png@01D2C438.20C94640"></span></a><span style='font-size:11.0pt;font-family:"Arial",sans-serif'> </span><a href="https://www.linkedin.com/company/the-center-for-internet-security"><span style='font-size:11.0pt;font-family:"Arial",sans-serif;color:windowtext;text-decoration:none'><img border=0 width=32 height=33 id="Picture_x005f_x0020_11" src="cid:image005.png@01D2C439.2B94D5C0" alt="cid:image005.png@01D2C438.20C94640"></span></a><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal align=center style='text-align:center'><b><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>TLP: WHITE</span></b><o:p></o:p></p><p class=MsoNormal align=center style='text-align:center'><b><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction.</span></b><o:p></o:p></p><p class=MsoNormal align=center style='text-align:center'><b><span style='font-size:11.0pt;font-family:"Arial",sans-serif'><a href="https://www.us-cert.gov/tlp/">https://www.us-cert.gov/tlp/</a></span></b><o:p></o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:11.0pt'>This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. </span><span style='font-family:"Times New Roman",serif'><o:p></o:p></span></p></div></blockquote></div></body></html>