Impersonation: Chrome Web Store Policy

calendar Mar 18, 2025  ·
Share on: linkedin copy

Detects messages impersonating Chrome Web Store policy communications, including fake extension security alerts and policy acceptance requests. Messages using observed domains and specific HTML formatting patterns typical of this impersonation.

Sublime rule (View on GitHub)

 1name: "Impersonation: Chrome Web Store Policy"
 2description: "Detects messages impersonating Chrome Web Store policy communications, including fake extension security alerts and policy acceptance requests. Messages using observed domains and specific HTML formatting patterns typical of this impersonation."
 3references:
 4  - "https://www.cyberhaven.com/engineering-blog/cyberhavens-preliminary-analysis-of-the-recent-malicious-chrome-extension"
 5  - "https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and sender.email.domain.domain != 'gmail.com'
11  and (
12    // subject and sender
13    sender.email.domain.root_domain in (
14      "chromeforextension.com",
15      "forextensions.com",
16      "supportchromestore.com"
17    )
18    or (
19      2 of (
20        strings.icontains(sender.email.domain.root_domain, 'chrome'),
21        strings.icontains(sender.email.domain.root_domain, 'support'),
22        strings.icontains(sender.email.domain.root_domain, 'extension'),
23        strings.icontains(sender.email.domain.root_domain, 'webstore')
24      )
25    )
26    or strings.icontains(sender.email.local_part, 'chromewebstore')
27    or strings.icontains(sender.display_name, "Webstore Extension")
28    or strings.icontains(subject.subject, 'Chrome Web Store Policy')
29    // body and html
30    or strings.icontains(body.html.raw,
31                         '<div style="background-color:rgb(65,132,243);padding:50px 20px 0px">'
32    )
33    or regex.icontains(body.current_thread.text,
34                       'Item name: [^\s]+ security extension'
35    )
36    or strings.icontains(body.current_thread.text,
37                         'Chrome Web Store Developer Support'
38    )
39    or strings.icontains(body.current_thread.text, 'Developer Program Policies')
40    or strings.icontains(body.current_thread.text,
41                         'Relevant section of the program policy:'
42    )
43    or strings.icontains(body.current_thread.text,
44                         'Please accept our policies to continue publishing your products.'
45    )
46  
47    // links
48    or (
49      length(distinct(body.links, .href_url.domain.root_domain)) < 10
50      and any(body.links,
51              .href_url.domain.root_domain in (
52                "checkpolicy.site",
53                "extensionpolicyprivacy.com",
54                "extensionpolicy.net",
55                "policyextension.info"
56              )
57              or .href_url.path == '/extension-policy-check'
58              or .display_text == "Go To Policy"
59      )
60    )
61  )
62  // negate messages sent by Google support
63  and not (
64    sender.email.domain.root_domain == 'google.com'
65    and headers.auth_summary.dmarc.pass
66  )  
67attack_types:
68  - "Credential Phishing"
69tactics_and_techniques:
70  - "Impersonation: Brand"
71  - "Free email provider"
72  - "Lookalike domain"
73detection_methods:
74  - "Content analysis"
75  - "Header analysis"
76  - "HTML analysis"
77  - "Sender analysis"
78  - "URL analysis"
79id: "4a98f283-8cc6-5864-bafb-e1908d0a5a8b"
to-top