Google Drive abuse: Credential phishing link
This rule detects legitimate Google Drive shares that link to files on Google Drive that host credential phishing content.
The file is usually a PDF that impersonates a legitimate brand, with credential theft language, and a button or link to an external site that steals login credentials.
Sublime rule (View on GitHub)
1name: "Google Drive abuse: Credential phishing link"
2description: |
3 This rule detects legitimate Google Drive shares that link to files on Google Drive that host credential phishing content.
4
5 The file is usually a PDF that impersonates a legitimate brand, with credential theft language, and a button or link to an external site that steals login credentials.
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and sender.email.email in (
11 "drive-shares-dm-noreply@google.com",
12 "drive-shares-noreply@google.com"
13 )
14
15 // malicious observed shares don't include the google "Added you as an editor" phrase.
16 // allowing user edits to a malicous document could neuter the threat
17 and not strings.contains(body.current_thread.text, "added you as an editor")
18 and any(body.links,
19 .href_url.domain.domain != "support.google.com"
20 and any(file.explode(ml.link_analysis(.).screenshot),
21 (
22 any(ml.nlu_classifier(.scan.ocr.raw).intents,
23 .name == "cred_theft"
24 and .confidence in ("medium", "high")
25 )
26 and (
27 length(ml.logo_detect(ml.link_analysis(..).screenshot).brands
28 ) > 0
29 and ml.link_analysis(..).credphish.disposition == "phishing"
30 )
31 )
32 and not ml.link_analysis(..).effective_url.domain.domain == "accounts.google.com"
33 // standard Google Docs error
34 and not strings.contains(.scan.ocr.raw,
35 "encountered an error. Please try reloading this page"
36 )
37 )
38 )
39
40attack_types:
41 - "Credential Phishing"
42tactics_and_techniques:
43 - "Free file host"
44 - "Impersonation: Brand"
45detection_methods:
46 - "Computer Vision"
47 - "Natural Language Understanding"
48 - "Optical Character Recognition"
49 - "Sender analysis"
50 - "URL analysis"
51 - "URL screenshot"
52id: "c74aece0-b8ac-53bc-861f-ac28a419a345"