Service Abuse: Google Drive Share From an Unsolicited Reply-To Address

calendar Dec 18, 2024 · Attack surface reduction  ·
Share on: linkedin copy

Identifies messages appearing to come from Google Drive sharing notifications that contain a reply-to address not previously seen in organizational communications. This tactic exploits trust in legitimate Google services while attempting to establish unauthorized communication channels.

Sublime rule (View on GitHub)

 1name: "Service Abuse: Google Drive Share From an Unsolicited Reply-To Address"
 2description: "Identifies messages appearing to come from Google Drive sharing notifications that contain a reply-to address not previously seen in organizational communications. This tactic exploits trust in legitimate Google services while attempting to establish unauthorized communication channels."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.email in (
 8    'drive-shares-dm-noreply@google.com',
 9    'drive-shares-noreply@google.com',
10  )
11  and not any(headers.reply_to, .email.domain.domain in $org_domains)
12  
13  // the message needs to have a reply-to address
14  and length(headers.reply_to) > 0
15  
16  // reply-to email address has never been sent an email by the org
17  and not (
18    any(headers.reply_to, .email.email in $recipient_emails)
19    // if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains
20    or any(filter(headers.reply_to,
21                  // filter the list to only emails that are not in free_email_providers
22                  (
23                    .email.domain.domain not in $free_email_providers
24                    or .email.domain.root_domain not in $free_email_providers
25                  )
26           ),
27           .email.domain.domain in $recipient_domains
28    )
29  )
30  // reply-to address has never sent an email to the org
31  and not (
32    any(headers.reply_to, .email.email in $sender_emails)
33    // if the reply-to address is NOT in free_email_providers, check the domain in sender_domains
34    or any(filter(headers.reply_to,
35                  // filter the list to only emails that are not in free_email_providers
36                  (
37                    .email.domain.domain not in $free_email_providers
38                    or .email.domain.root_domain not in $free_email_providers
39                  )
40           ),
41           .email.domain.root_domain in $sender_domains
42    )
43  )  
44tags:
45 - "Attack surface reduction"
46attack_types:
47  - "BEC/Fraud"
48  - "Callback Phishing"
49  - "Credential Phishing"
50tactics_and_techniques:
51  - "Free email provider"
52  - "Social engineering"
53  - "Free file host"
54detection_methods:
55  - "Header analysis"
56  - "Sender analysis"
57id: "4581ec0c-aed2-50ed-8e16-2c9ca1d350ff"

Related rules

to-top