We have got a notification from google about "Malicious or unwanted software detected" on our mail server.
After our investigation we saw that all attachments in webmail can be downloaded without login to that email account.
So anyone who knows the attachment url can download that attachment without login to that email.
Because file url is generated only one time. It is static url, if you keep the email in same folder.
As much as we see there is no session control on that download link. (Not file share app, just attachment in webmail)
You can try those steps;
-Send an email to your mail address with a file.
-Right click the attachment and copy the url
-logout from that email account
-In different browser or private mode paste the url
It is downloadable.
It comes to us it is like a security issue.
Also those urls are tracked by chrome browsers and some antivirus programs reports malicious file urls to google safe program.
If it is not moved for a period of time google flag that page as unsafe and after that no one can download file from webmail.
Have you ever faced that kind of problem? If yes how did you solve it.