Brand impersonation: Google Drive fake file share
This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Google Drive fake file share"
2description: |
3 This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8
9 // Google Drive body content looks like this
10 and (
11 (
12 (
13 any([body.current_thread.text, body.plain.raw],
14 strings.ilike(.,
15 "*shared a file with you*",
16 "*shared with you*",
17 "*invited you to review*",
18 "*received a document*",
19 "*shared a document*",
20 "*shared a spreadsheet*",
21 "*shared this document*",
22 "*shared an item*",
23 "*received this email because you*",
24 "*shared a*with you*",
25 "*automated *mail from google*drive*"
26 )
27 )
28 //
29 // This rule makes use of a beta feature and is subject to change without notice
30 // using the beta feature in custom rules is not suggested until it has been formally released
31 //
32 or strings.ilike(beta.ocr(file.message_screenshot()).text,
33 "*shared a file with you*",
34 "*shared with you*",
35 "*invited you to review*",
36 "*received a document*",
37 "*shared a document*",
38 "*shared a spreadsheet*",
39 "*shared this document*",
40 "*shared an item*",
41 "*received this email because you*",
42 "*shared a*with you*",
43 "*automated *mail from google*drive*"
44 )
45 )
46 and (
47 strings.ilike(subject.subject,
48 "*shared*",
49 "*updated*",
50 "*sign*",
51 "*review*"
52 )
53 or any(recipients.to,
54 strings.icontains(subject.subject, .email.domain.sld)
55 )
56 or strings.ilike(subject.subject, "*Docs*", "*Sheets*", "*Slides*")
57 or any(body.links,
58 strings.icontains(.display_text, "open document")
59 or strings.iends_with(.display_text, ".pdf")
60 )
61 or strings.ilike(sender.display_name, "*Google Drive*")
62 or subject.subject is null
63 or subject.subject == ""
64 )
65 )
66 or any([
67 "Contigo", // Spanish
68 "Avec vous", // French
69 "Mit Ihnen", // German
70 "Con te", // Italian
71 "Com você", // Portuguese
72 "Met u", // Dutch
73 "С вами", // Russian
74 "与你", // Chinese (Simplified)
75 "與您", // Chinese (Traditional)
76 "あなたと", // Japanese
77 "당신과", // Korean
78 "معك", // Arabic
79 "آپ کے ساتھ", // Urdu
80 "আপনার সাথে", // Bengali
81 "आपके साथ", // Hindi
82 "Sizinle", // Turkish // Azerbaijani
83 "Med dig", // Swedish
84 "Z tobą", // Polish
85 "З вами", // Ukrainian
86 "Önnel", // Hungarian
87 "Μαζί σας", // Greek
88 "איתך", // Hebrew
89 "กับคุณ", // Thai
90 "Với bạn", // Vietnamese
91 "Dengan Anda", // Indonesian // Malay
92 "Nawe", // Swahili
93 "Cu dumneavoastră", // Romanian
94 "S vámi", // Czech
95 "Med deg", // Norwegian
96 "S vami", // Slovak
97 "Med dig", // Danish
98 "Amb vostè", // Catalan
99 "Teiega", // Estonian
100 "S vama", // Serbian
101 ],
102 strings.icontains(subject.subject, .)
103 )
104 )
105
106 // contains logic that impersonates Google
107 and (
108 any(ml.logo_detect(file.message_screenshot()).brands,
109 strings.starts_with(.name, "Google")
110 )
111 // Google Drive share box formatting
112 or strings.icontains(body.html.raw,
113 '<table style="width:100%; border:1px solid #dadce0; border-radius:6px; border-spacing:0; border-collapse:separate; table-layout:fixed" role="presentation">'
114 )
115 or any(attachments,
116 .file_type in $file_types_images
117 and (
118 any(ml.logo_detect(.).brands, strings.starts_with(.name, "Google"))
119 or strings.icontains(beta.ocr(.).text,
120 strings.concat("You have received this email because ",
121 sender.email.email,
122 " shared a document with you"
123 )
124 )
125 or strings.icontains(beta.ocr(.).text,
126 strings.concat("You have received this email because ",
127 sender.email.email,
128 " received a file or folder"
129 )
130 )
131 or any(recipients.to,
132 strings.icontains(beta.ocr(..).text,
133 strings.concat("You have received this email because ",
134 .email.email,
135 " shared a document with you"
136 )
137 )
138 )
139 or any(recipients.to,
140 strings.icontains(beta.ocr(..).text,
141 strings.concat("You have received this email because ",
142 .email.email,
143 " received a file or folder"
144 )
145 )
146 )
147 or strings.icontains(beta.ocr(.).text,
148 strings.concat(sender.display_name,
149 " (",
150 sender.email.email,
151 ") ",
152 "shared"
153 )
154 )
155 )
156 )
157 or strings.icontains(body.current_thread.text,
158 strings.concat("You have received this email because ",
159 sender.email.email,
160 " shared a document with you"
161 )
162 )
163 or strings.icontains(body.current_thread.text,
164 strings.concat("You have received this email because ",
165 sender.email.email,
166 " received a file or folder"
167 )
168 )
169 or any(recipients.to,
170 strings.icontains(body.current_thread.text,
171 strings.concat("You have received this email because ",
172 .email.email,
173 " shared a document with you"
174 )
175 )
176 )
177 or any(recipients.to,
178 strings.icontains(body.current_thread.text,
179 strings.concat("You have received this email because ",
180 .email.email,
181 " received a file or folder"
182 )
183 )
184 )
185 or strings.icontains(body.current_thread.text,
186 strings.concat(sender.display_name,
187 " (",
188 sender.email.email,
189 ") ",
190 "shared"
191 )
192 )
193 // Google address from footer
194 or 2 of (
195 strings.icontains(body.current_thread.text, 'Google LLC'),
196 strings.icontains(body.current_thread.text, '1600 Amphitheatre Parkway'),
197 strings.icontains(body.current_thread.text, 'Mountain View, CA 94043'),
198 )
199 )
200 and not all(body.links, .href_url.domain.root_domain in ("google.com"))
201 and sender.email.domain.root_domain not in $org_domains
202 and sender.email.domain.root_domain not in ("google.com")
203 and not (
204 all(headers.references, strings.ends_with(., '@docs-share.google.com'))
205 and headers.return_path.domain.domain == "doclist.bounces.google.com"
206 )
207 // negate first threads that are a legitimate Google Drive share
208 and not (
209 length(body.previous_threads) != 0
210 and length(body.previous_threads[length(body.previous_threads) - 1].links) != 0
211 and all(body.previous_threads[length(body.previous_threads) - 1].links,
212 .href_url.domain.root_domain == "google.com"
213 )
214 )
215
216 // negate highly trusted sender domains unless they fail DMARC authentication
217 and (
218 (
219 sender.email.domain.root_domain in $high_trust_sender_root_domains
220 and not headers.auth_summary.dmarc.pass
221 )
222 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
223 )
224 and (
225 profile.by_sender().solicited == false
226 or profile.by_sender_email().prevalence == "new"
227 or (
228 profile.by_sender().any_messages_malicious_or_spam
229 and not profile.by_sender().any_messages_benign
230 )
231 )
232 and not profile.by_sender().any_messages_benign
233attack_types:
234 - "Credential Phishing"
235 - "Malware/Ransomware"
236detection_methods:
237 - "Content analysis"
238 - "Header analysis"
239 - "URL analysis"
240 - "Computer Vision"
241tactics_and_techniques:
242 - "Impersonation: Brand"
243 - "Social engineering"
244id: "b424a941-2623-50f5-a3be-e90130e538d2"