Impersonation: Chrome Web Store Policy

calendar Jan 25, 2025  ·
Share on: linkedin copy

Detects messages impersonating Chrome Web Store policy communications, including fake extension security alerts and policy acceptance requests. Messages using observed domains and specific HTML formatting patterns typical of this impersonation.

Sublime rule (View on GitHub)

 1name: "Impersonation: Chrome Web Store Policy"
 2description: "Detects messages impersonating Chrome Web Store policy communications, including fake extension security alerts and policy acceptance requests. Messages using observed domains and specific HTML formatting patterns typical of this impersonation."
 3references:
 4  - "https://www.cyberhaven.com/engineering-blog/cyberhavens-preliminary-analysis-of-the-recent-malicious-chrome-extension"
 5  - "https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  // all observed sender.email.domain have had MX records pointing to smtp.google.com
11  and strings.ends_with(headers.message_id, '@mail.gmail.com>')
12  and sender.email.domain.domain != 'gmail.com'
13  and (
14    // subject and sender
15    sender.email.domain.root_domain in (
16      "chromeforextension.com",
17      "forextensions.com",
18      "supportchromestore.com"
19    )
20    or (
21      2 of (
22        strings.icontains(sender.email.domain.root_domain, 'chrome'),
23        strings.icontains(sender.email.domain.root_domain, 'support'),
24        strings.icontains(sender.email.domain.root_domain, 'extension'),
25        strings.icontains(sender.email.domain.root_domain, 'webstore')
26      )
27    )
28    or strings.icontains(sender.email.local_part, 'chromewebstore')
29    or strings.icontains(sender.display_name, "Webstore Extension")
30    or strings.icontains(subject.subject, 'Chrome Web Store Policy')
31    // body and html
32    or strings.icontains(body.html.raw,
33                         '<div style="background-color:rgb(65,132,243);padding:50px 20px 0px">'
34    )
35    or regex.icontains(body.current_thread.text,
36                       'Item name: [^\s]+ security extension'
37    )
38    or strings.icontains(body.current_thread.text,
39                         'Chrome Web Store Developer Support'
40    )
41    or strings.icontains(body.current_thread.text, 'Developer Program Policies')
42    or strings.icontains(body.current_thread.text,
43                         'Relevant section of the program policy:'
44    )
45    or strings.icontains(body.current_thread.text,
46                         'Please accept our policies to continue publishing your products.'
47    )
48  
49    // links
50    or (
51      length(distinct(body.links, .href_url.domain.root_domain)) < 10
52      and any(body.links,
53              .href_url.domain.root_domain in (
54                "checkpolicy.site",
55                "extensionpolicyprivacy.com",
56                "extensionpolicy.net",
57                "policyextension.info"
58              )
59              or .href_url.path == '/extension-policy-check'
60              or .display_text == "Go To Policy"
61      )
62    )
63  )
64  // negate messages sent by Google support
65  and not (
66    sender.email.domain.root_domain == 'google.com'
67    and headers.auth_summary.dmarc.pass
68  )  
69attack_types:
70  - "Credential Phishing"
71tactics_and_techniques:
72  - "Impersonation: Brand"
73  - "Free email provider"
74  - "Lookalike domain"
75detection_methods:
76  - "Content analysis"
77  - "Header analysis"
78  - "HTML analysis"
79  - "Sender analysis"
80  - "URL analysis"
81id: "4a98f283-8cc6-5864-bafb-e1908d0a5a8b"
to-top