Background
Smartsheet is a vital tool at the Lab, powering more than 8,000 forms used to collect and process information. Malicious actors are currently targeting these forms to submit harmful text, spam, or phishing messages—often containing malicious links. The submitted data itself is not harmful. Simply having this data appear in your Smartsheet grid or notification emails is harmless. The real danger is the links. If you click on any of the links, it could compromise your computer or lead to a phishing site.
Examples
Mitigations
- Exercise Caution: Treat all unexpected or strange form submissions with skepticism.
- Do Not Click: Never click on links from unknown or suspicious form entries.
- Clean Up the Sheet: Delete the bogus rows of data from your spreadsheet. Do not click any links while doing this.
Long-Term Protection & Prevention
If your form continues to be targeted, consider the following structural changes:
- Retire Unused Forms: If the form or spreadsheet is no longer actively needed, delete it.
Consider Alternative Tools: If you need a public-facing form, consdier using Google Forms/Sheets.
- Require Authentication: Change your Smartsheet form settings to require users to log in. This completely blocks external anonymous bad actors, but may not be viable for many use cases.
Challenges
- Identifying Form Ownership and Location: Because forms can be created by individuals or teams over many years, you may inherit a sheet without knowing who the original owner is, or where the form is currently linked/embedded on the public internet.
- Form Proliferation & "Ghost" Forms: With over 8,000 forms active, many are "ghost forms"—outdated or forgotten forms from past projects that are still open to the public.
In both cases, the IT Help Desk can assist you in tracking down the owner and identifying where the form is used.
References
If you have additional questions please reach out to [email protected]
You can refer to this page as https://go.lbl.gov/smartsheetabuse
