Service Abuse: Google Drive Share From New Reply-To Domain

A Google Drive sharing notification containing a reply-to address from a recently registered domain (less than 30 days old). The reply-to domain does not match any organizational domains.

Sublime rule (View on GitHub)

 1name: "Service Abuse: Google Drive Share From New Reply-To Domain"
 2description: "A Google Drive sharing notification containing a reply-to address from a recently registered domain (less than 30 days old). The reply-to domain does not match any organizational domains."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.email in (
 8    'drive-shares-dm-noreaply@google.com',
 9    'drive-shares-noreply@google.com',
10  )
11  and not any(headers.reply_to, .email.domain.domain in $org_domains)
12  
13  // the message needs to have a reply-to address
14  and length(headers.reply_to) > 0
15  
16  // new reply-to
17  and any(headers.reply_to, network.whois(.email.domain).days_old < 30)  
18tags:
19 - "Attack surface reduction"
20attack_types:
21  - "BEC/Fraud"
22  - "Callback Phishing"
23  - "Credential Phishing"
24tactics_and_techniques:
25  - "Free email provider"
26  - "Social engineering"
27  - "Free file host"
28detection_methods:
29  - "Header analysis"
30  - "Sender analysis"
31  - "Whois"
32id: "c1a2d367-ebdd-5557-926d-fe7b9ebfa324"

Related rules

to-top