Google Drive abuse: Credential phishing link

calendar Apr 25, 2024  ·
Share on: linkedin copy

This rule detects legitimate Google Drive shares that link to files on Google Drive that host credential phishing content.

The file is usually a PDF that impersonates a legitimate brand, with credential theft language, and a button or link to an external site that steals login credentials.

Sublime rule (View on GitHub)

 1name: "Google Drive abuse: Credential phishing link"
 2description: |
 3  This rule detects legitimate Google Drive shares that link to files on Google Drive that host credential phishing content.
 4
 5  The file is usually a PDF that impersonates a legitimate brand, with credential theft language, and a button or link to an external site that steals login credentials.  
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and sender.email.email in (
11    "drive-shares-dm-noreply@google.com",
12    "drive-shares-noreply@google.com"
13  )
14
15  // malicious observed shares don't include the google "Added you as an editor" phrase.
16  // allowing user edits to a malicous document could neuter the threat
17  and not strings.contains(body.current_thread.text, "added you as an editor")
18  and any(body.links,
19          .href_url.domain.domain != "support.google.com"
20          and any(file.explode(ml.link_analysis(.).screenshot),
21                  (
22                    any(ml.nlu_classifier(.scan.ocr.raw).intents,
23                        .name == "cred_theft"
24                        and .confidence in ("medium", "high")
25                    )
26                    and (
27                      length(ml.logo_detect(ml.link_analysis(..).screenshot).brands
28                      ) > 0
29                      and ml.link_analysis(..).credphish.disposition == "phishing"
30                    )
31                  )
32                  and not ml.link_analysis(..).effective_url.domain.domain == "accounts.google.com"
33                  // standard Google Docs error
34                  and not strings.contains(.scan.ocr.raw,
35                                           "encountered an error. Please try reloading this page"
36                  )
37          )
38  )  
39
40attack_types:
41  - "Credential Phishing"
42tactics_and_techniques:
43  - "Free file host"
44  - "Impersonation: Brand"
45detection_methods:
46  - "Computer Vision"
47  - "Natural Language Understanding"
48  - "Optical Character Recognition"
49  - "Sender analysis"
50  - "URL analysis"
51  - "URL screenshot"
52id: "c74aece0-b8ac-53bc-861f-ac28a419a345"
to-top