Brand impersonation: Google Drive fake file share
This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Google Drive fake file share"
2description: |
3 This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8
9 // Google Drive body content looks like this
10 and (
11 (
12 (
13 any([body.current_thread.text, body.plain.raw],
14 strings.ilike(.,
15 "*shared a file with you*",
16 "*shared with you*",
17 "*invited you to review*",
18 "*received a document*",
19 "*shared a document*",
20 "*shared a spreadsheet*",
21 "*shared this document*",
22 "*shared an item*",
23 "*received this email because you*",
24 "*shared a*with you*"
25 )
26 )
27 //
28 // This rule makes use of a beta feature and is subject to change without notice
29 // using the beta feature in custom rules is not suggested until it has been formally released
30 //
31 or strings.ilike(beta.ocr(file.message_screenshot()).text,
32 "*shared a file with you*",
33 "*shared with you*",
34 "*invited you to review*",
35 "*received a document*",
36 "*shared a document*",
37 "*shared a spreadsheet*",
38 "*shared this document*",
39 "*shared an item*",
40 "*received this email because you*",
41 "*shared a*with you*"
42 )
43 )
44 and (
45 strings.ilike(subject.subject,
46 "*shared*",
47 "*updated*",
48 "*sign*",
49 "*review*"
50 )
51 or any(recipients.to,
52 strings.icontains(subject.subject, .email.domain.sld)
53 )
54 or strings.ilike(subject.subject, "*Docs*", "*Sheets*", "*Slides*")
55 or any(body.links, strings.icontains(.display_text, "open document"))
56 or strings.ilike(sender.display_name, "*Google Drive*")
57 or subject.subject is null
58 or subject.subject == ""
59 )
60 )
61 or any([
62 "Contigo", // Spanish
63 "Avec vous", // French
64 "Mit Ihnen", // German
65 "Con te", // Italian
66 "Com você", // Portuguese
67 "Met u", // Dutch
68 "С вами", // Russian
69 "与你", // Chinese (Simplified)
70 "與您", // Chinese (Traditional)
71 "あなたと", // Japanese
72 "당신과", // Korean
73 "معك", // Arabic
74 "آپ کے ساتھ", // Urdu
75 "আপনার সাথে", // Bengali
76 "आपके साथ", // Hindi
77 "Sizinle", // Turkish // Azerbaijani
78 "Med dig", // Swedish
79 "Z tobą", // Polish
80 "З вами", // Ukrainian
81 "Önnel", // Hungarian
82 "Μαζί σας", // Greek
83 "איתך", // Hebrew
84 "กับคุณ", // Thai
85 "Với bạn", // Vietnamese
86 "Dengan Anda", // Indonesian // Malay
87 "Nawe", // Swahili
88 "Cu dumneavoastră", // Romanian
89 "S vámi", // Czech
90 "Med deg", // Norwegian
91 "S vami", // Slovak
92 "Med dig", // Danish
93 "Amb vostè", // Catalan
94 "Teiega", // Estonian
95 "S vama", // Serbian
96 ],
97 strings.icontains(subject.subject, .)
98 )
99 )
100
101 // contains logic that impersonates Google
102 and (
103 any(ml.logo_detect(file.message_screenshot()).brands,
104 strings.starts_with(.name, "Google")
105 )
106 // Google Drive share box formatting
107 or strings.icontains(body.html.raw,
108 '<table style="width:100%; border:1px solid #dadce0; border-radius:6px; border-spacing:0; border-collapse:separate; table-layout:fixed" role="presentation">'
109 )
110 or any(attachments,
111 .file_type in $file_types_images
112 and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Google"))
113 )
114 or strings.icontains(body.current_thread.text,
115 strings.concat("You have received this email because ",
116 sender.email.email,
117 " shared a document with you"
118 )
119 )
120 or strings.icontains(body.current_thread.text,
121 strings.concat("You have received this email because ",
122 sender.email.email,
123 " received a file or folder"
124 )
125 )
126 or any(recipients.to,
127 strings.icontains(body.current_thread.text,
128 strings.concat("You have received this email because ",
129 .email.email,
130 " shared a document with you"
131 )
132 )
133 )
134 or any(recipients.to,
135 strings.icontains(body.current_thread.text,
136 strings.concat("You have received this email because ",
137 .email.email,
138 " received a file or folder"
139 )
140 )
141 )
142 // Google address from footer
143 or 2 of (
144 strings.icontains(body.current_thread.text, 'Google LLC'),
145 strings.icontains(body.current_thread.text, '1600 Amphitheatre Parkway'),
146 strings.icontains(body.current_thread.text, 'Mountain View, CA 94043'),
147 )
148 )
149 and not all(body.links, .href_url.domain.root_domain in ("google.com"))
150 and sender.email.domain.root_domain not in $org_domains
151 and sender.email.domain.root_domain not in ("google.com")
152 and not (
153 all(headers.references, strings.ends_with(., '@docs-share.google.com'))
154 and headers.return_path.domain.domain == "doclist.bounces.google.com"
155 )
156
157 // negate highly trusted sender domains unless they fail DMARC authentication
158 and (
159 (
160 sender.email.domain.root_domain in $high_trust_sender_root_domains
161 and not headers.auth_summary.dmarc.pass
162 )
163 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
164 )
165 and (
166 profile.by_sender().solicited == false
167 or profile.by_sender_email().prevalence == "new"
168 or (
169 profile.by_sender().any_messages_malicious_or_spam
170 and not profile.by_sender().any_messages_benign
171 )
172 )
173 and not profile.by_sender().any_messages_benign
174attack_types:
175 - "Credential Phishing"
176 - "Malware/Ransomware"
177detection_methods:
178 - "Content analysis"
179 - "Header analysis"
180 - "URL analysis"
181 - "Computer Vision"
182tactics_and_techniques:
183 - "Impersonation: Brand"
184 - "Social engineering"
185id: "b424a941-2623-50f5-a3be-e90130e538d2"