Service Abuse: Google Drive Share From an Unsolicited Reply-To Address
Identifies messages appearing to come from Google Drive sharing notifications that contain a reply-to address not previously seen in organizational communications. This tactic exploits trust in legitimate Google services while attempting to establish unauthorized communication channels.
Sublime rule (View on GitHub)
1name: "Service Abuse: Google Drive Share From an Unsolicited Reply-To Address"
2description: "Identifies messages appearing to come from Google Drive sharing notifications that contain a reply-to address not previously seen in organizational communications. This tactic exploits trust in legitimate Google services while attempting to establish unauthorized communication channels."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and sender.email.email in (
8 'drive-shares-dm-noreply@google.com',
9 'drive-shares-noreply@google.com',
10 )
11 and not any(headers.reply_to, .email.domain.domain in $org_domains)
12
13 //
14 // This rule makes use of a beta feature and is subject to change without notice
15 // using the beta feature in custom rules is not suggested until it has been formally released
16 //
17
18 // reply-to address has never sent an email to the org
19 and beta.profile.by_reply_to().prevalence == "new"
20
21 // reply-to email address has never been sent an email by the org
22 and not beta.profile.by_reply_to().solicited
23
24 // do not match if the reply_to address has been observed as a reply_to address
25 // of a message that has been classified as benign
26 and not beta.profile.by_reply_to().any_messages_benign
27
28tags:
29 - "Attack surface reduction"
30attack_types:
31 - "BEC/Fraud"
32 - "Callback Phishing"
33 - "Credential Phishing"
34tactics_and_techniques:
35 - "Free email provider"
36 - "Social engineering"
37 - "Free file host"
38detection_methods:
39 - "Header analysis"
40 - "Sender analysis"
41id: "4581ec0c-aed2-50ed-8e16-2c9ca1d350ff"