Service Abuse: Google Drive Share From New Reply-To Domain
A Google Drive sharing notification containing a reply-to address from a recently registered domain (less than 30 days old). The reply-to domain does not match any organizational domains.
Sublime rule (View on GitHub)
1name: "Service Abuse: Google Drive Share From New Reply-To Domain"
2description: "A Google Drive sharing notification containing a reply-to address from a recently registered domain (less than 30 days old). The reply-to domain does not match any organizational domains."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and sender.email.email in (
8 'drive-shares-dm-noreaply@google.com',
9 'drive-shares-noreply@google.com',
10 )
11 and not any(headers.reply_to, .email.domain.domain in $org_domains)
12
13 // the message needs to have a reply-to address
14 and length(headers.reply_to) > 0
15
16 // new reply-to
17 and any(headers.reply_to, network.whois(.email.domain).days_old < 30)
18tags:
19 - "Attack surface reduction"
20attack_types:
21 - "BEC/Fraud"
22 - "Callback Phishing"
23 - "Credential Phishing"
24tactics_and_techniques:
25 - "Free email provider"
26 - "Social engineering"
27 - "Free file host"
28detection_methods:
29 - "Header analysis"
30 - "Sender analysis"
31 - "Whois"
32id: "c1a2d367-ebdd-5557-926d-fe7b9ebfa324"
Related rules
- Suspicious DocuSign Share From New Domain
- Service Abuse: Google Drive Share From an Unsolicited Reply-To Address
- Suspected Lookalike domain with suspicious language
- Cyrillic vowel substitution in subject or display name from unknown sender
- Service Abuse: Dropbox Share From an Unsolicited Reply-To Address