Re: "Google-Proxy" servers & Phishing Campaigns

["McLarty, Nick" <nmclarty () TAMUS EDU>]

I’ve seen this same behavior with Office 365 ATP and the SafeLinks feature.  ATP scans the email’s links by following 
them to see what the final destination is after all the rewrites, but unfortunately it has to actually make an HTTP 
request in order to do that, so KnowBe4 sees a click and tracks it accordingly.

This is the link to the article on how to bypass ATP; I know it’s not a direct solution for GSuite, but if you can find 
a corresponding header from Google to bypass their link scanning, this solution should work… 
https://support.knowbe4.com/hc/en-us/articles/115004326408-How-to-Bypass-Safe-Link-Attachment-Processing-of-Advanced-Threat-Protection-ATP-


Nicholas McLarty | Assistant Chief Information Security Officer
Office of Cybersecurity
nmclarty () tamus edu

1370 TAMU | College Station, TX 77843-1370
Tel. 979.234.0036 | it.tamus.edu<https://it.tamus.edu/>

The Texas A&M University System


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Frank Barton 
<bartonf () HUSSON EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Thursday, January 2, 2020 at 8:33 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [Possible SPAM] [SECURITY] "Google-Proxy" servers & Phishing Campaigns

Hi folks (and I apologize for the cross posting),

We've run into something interesting, and I'm wondering if anybody has any insight.

We use KnowBe4 as our Phishing/training/testing vendor, and have seen a lot of "clicks" coming from the 
66.102.8.0/24<https://urldefense.proofpoint.com/v2/url?u=http-3A__66.102.8.0_24&d=DwMFaQ&c=WJoLrfa-j2TGsH3dNaZP7ZptIoqveT7SdMHYQUomog0&r=ecFqCGiFIJX_caLxaS1CrOZrK_H3t085gJGMRqwqV6s&m=f92WVIZ5JgVretLurbEHHsKP8yWx3EvWdfe2OinHUbg&s=vkGCZQvsl8rOUa2DxzK_sqYcM99E72i2IHt7W44vxP4&e=>
 subnet. These machines are all identified as 
"Google-Proxy-<IP>.google.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__google.com&d=DwMFaQ&c=WJoLrfa-j2TGsH3dNaZP7ZptIoqveT7SdMHYQUomog0&r=ecFqCGiFIJX_caLxaS1CrOZrK_H3t085gJGMRqwqV6s&m=f92WVIZ5JgVretLurbEHHsKP8yWx3EvWdfe2OinHUbg&s=3ZGp6GSDdrDB0BvdvW8d5oag7CIVTzCxzJ59_4ohvKo&e=>"

We've reached out to KnowBe4 about this, and the response we got was effectively, "yeah, and?" on the theory that a 
click is a click, no matter where it came from. In some cases, I would believe that the users had clicked, but in 
others I believe the users when they say that they didn't click on the links.

Has anybody else seen this? Does anybody know what might be triggering these requests to the unique URLs? does anybody 
have any insight into what the google-proxy servers are used for?

Over half of the "clicks" are coming from these IP addresses. This feels very much like the proverbial "Once is 
happenstance, twice is coincidence, three [or more] is enemy action", and I don't like things I can't explain.

Thank You
Frank

--
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMFaQ&c=WJoLrfa-j2TGsH3dNaZP7ZptIoqveT7SdMHYQUomog0&r=ecFqCGiFIJX_caLxaS1CrOZrK_H3t085gJGMRqwqV6s&m=f92WVIZ5JgVretLurbEHHsKP8yWx3EvWdfe2OinHUbg&s=Lbuzl1YtCtUludBUMuMSmpQRTcKpDcREXs7dRnJKsW4&e=>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community