Google Drive abuse: Credential phishing link

calendar Jul 31, 2024  ·
Share on: linkedin copy

This rule detects legitimate Google Drive shares that link to files on Google Drive that host credential phishing content.

The file is usually a PDF that impersonates a legitimate brand, with credential theft language, and a button or link to an external site that steals login credentials.

Sublime rule (View on GitHub)

 1name: "Google Drive abuse: Credential phishing link"
 2description: |
 3  This rule detects legitimate Google Drive shares that link to files on Google Drive that host credential phishing content.
 4
 5  The file is usually a PDF that impersonates a legitimate brand, with credential theft language, and a button or link to an external site that steals login credentials.  
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and sender.email.email in (
11    "drive-shares-dm-noreply@google.com",
12    "drive-shares-noreply@google.com"
13  )
14  
15  // malicious observed shares don't include the google "Added you as an editor" phrase.
16  // allowing user edits to a malicous document could neuter the threat
17  and not strings.contains(body.current_thread.text, "added you as an editor")
18  and any(filter(body.links,
19                 .href_url.domain.domain != "support.google.com"
20                 and .display_text == "Open"
21          ),
22          (
23            (
24              ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
25            )
26            and length(ml.logo_detect(ml.link_analysis(., mode="aggressive").screenshot
27                       ).brands
28            ) > 0
29          )
30          or any(file.explode(ml.link_analysis(.).screenshot),
31                 (
32                   any(ml.nlu_classifier(.scan.ocr.raw).intents,
33                       .name == "cred_theft" and .confidence in ("medium", "high")
34                   )
35                   and (
36                     length(ml.logo_detect(ml.link_analysis(..).screenshot).brands
37                     ) > 0
38                     and ml.link_analysis(..).credphish.disposition == "phishing"
39                   )
40                 )
41                 and not ml.link_analysis(..).effective_url.domain.domain == "accounts.google.com"
42                 // standard Google Docs error
43                 and not strings.contains(.scan.ocr.raw,
44                                          "encountered an error. Please try reloading this page"
45                 )
46          )
47  )  
48
49attack_types:
50  - "Credential Phishing"
51tactics_and_techniques:
52  - "Free file host"
53  - "Impersonation: Brand"
54detection_methods:
55  - "Computer Vision"
56  - "Natural Language Understanding"
57  - "Optical Character Recognition"
58  - "Sender analysis"
59  - "URL analysis"
60  - "URL screenshot"
61id: "c74aece0-b8ac-53bc-861f-ac28a419a345"
to-top