Brand impersonation: Google Drive fake file share

This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Google Drive fake file share"
  2description: |
  3    This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
  4type: "rule"
  5severity: "medium"
  6source: |
  7  type.inbound
  8  
  9  // Google Drive body content looks like this
 10  and (
 11    (
 12      (
 13        any([body.current_thread.text, body.plain.raw],
 14            strings.ilike(.,
 15                          "*shared a file with you*",
 16                          "*shared with you*",
 17                          "*invited you to review*",
 18                          "*received a document*",
 19                          "*shared a document*",
 20                          "*shared this document*",
 21                          "*shared an item*",
 22                          "*received this email because you*",
 23                          "*shared a*with you*"
 24            )
 25        )
 26        or any(file.explode(beta.message_screenshot()),
 27               strings.ilike(.scan.ocr.raw,
 28                             "*shared a file with you*",
 29                             "*shared with you*",
 30                             "*invited you to review*",
 31                             "*received a document*",
 32                             "*shared a document*",
 33                             "*shared this document*",
 34                             "*shared an item*",
 35                             "*received this email because you*",
 36                             "*shared a*with you*"
 37               )
 38        )
 39      )
 40      and (
 41        strings.ilike(subject.subject,
 42                      "*shared*",
 43                      "*updated*",
 44                      "*sign*",
 45                      "*review*"
 46        )
 47        or any(recipients.to, strings.icontains(subject.subject, .email.domain.sld))
 48        or strings.ilike(subject.subject, "*Docs*", "*Sheets*", "*Slides*")
 49        or any(body.links, strings.icontains(.display_text, "open document"))
 50        or strings.ilike(sender.display_name, "*Google Drive*")
 51        or subject.subject is null
 52        or subject.subject == ""
 53      )
 54    )
 55    or any([
 56             "Contigo", // Spanish
 57             "Avec vous", // French
 58             "Mit Ihnen", // German
 59             "Con te", // Italian
 60             "Com você", // Portuguese
 61             "Met u", // Dutch
 62             "С вами", // Russian
 63             "与你", // Chinese (Simplified)
 64             "與您", // Chinese (Traditional)
 65             "あなたと", // Japanese
 66             "당신과", // Korean
 67             "معك", // Arabic
 68             "آپ کے ساتھ", // Urdu
 69             "আপনার সাথে", // Bengali
 70             "आपके साथ", // Hindi
 71             "Sizinle", // Turkish // Azerbaijani
 72             "Med dig", // Swedish
 73             "Z tobą", // Polish
 74             "З вами", // Ukrainian
 75             "Önnel", // Hungarian
 76             "Μαζί σας", // Greek
 77             "איתך", // Hebrew
 78             "กับคุณ", // Thai
 79             "Với bạn", // Vietnamese
 80             "Dengan Anda", // Indonesian // Malay
 81             "Nawe", // Swahili
 82             "Cu dumneavoastră", // Romanian
 83             "S vámi", // Czech
 84             "Med deg", // Norwegian
 85             "S vami", // Slovak
 86             "Med dig", // Danish
 87             "Amb vostè", // Catalan
 88             "Teiega", // Estonian
 89             "S vama", // Serbian
 90           ],
 91           strings.icontains(subject.subject, .)
 92    )
 93  )
 94  
 95  // contains logic that impersonates Google
 96  and (
 97    any(ml.logo_detect(beta.message_screenshot()).brands,
 98        strings.starts_with(.name, "Google")
 99    )
100    or any(attachments,
101           .file_type in $file_types_images
102           and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Google"))
103    )
104    or strings.icontains(body.current_thread.text,
105                         strings.concat("You have received this email because ",
106                                        sender.email.email,
107                                        " shared a document with you"
108                         )
109    )
110    or strings.icontains(body.current_thread.text,
111                         strings.concat("You have received this email because ",
112                                        sender.email.email,
113                                        " received a file or folder"
114                         )
115    )
116    or any(recipients.to,
117           strings.icontains(body.current_thread.text,
118                             strings.concat("You have received this email because ",
119                                            .email.email,
120                                            " shared a document with you"
121                             )
122           )
123    )
124    or any(recipients.to,
125           strings.icontains(body.current_thread.text,
126                             strings.concat("You have received this email because ",
127                                            .email.email,
128                                            " received a file or folder"
129                             )
130           )
131    )
132    // Google address from footer
133    or 2 of (
134      strings.icontains(body.current_thread.text, 'Google LLC'),
135      strings.icontains(body.current_thread.text, '1600 Amphitheatre Parkway'),
136      strings.icontains(body.current_thread.text, 'Mountain View, CA 94043'),
137    )
138  )
139  and not all(body.links, .href_url.domain.root_domain in ("google.com"))
140  and sender.email.domain.root_domain not in $org_domains
141  and sender.email.domain.root_domain not in ("google.com")
142  and not (
143    all(headers.references, strings.ends_with(., '@docs-share.google.com'))
144    and headers.return_path.domain.domain == "doclist.bounces.google.com"
145  )
146  
147  // negate highly trusted sender domains unless they fail DMARC authentication
148  and (
149    (
150      sender.email.domain.root_domain in $high_trust_sender_root_domains
151      and not headers.auth_summary.dmarc.pass
152    )
153    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
154  )
155  and (
156    profile.by_sender().solicited == false
157    or profile.by_sender_email().prevalence == "new"
158    or (
159      profile.by_sender().any_messages_malicious_or_spam
160      and not profile.by_sender().any_messages_benign
161    )
162  )
163  and not profile.by_sender().any_messages_benign  
164attack_types:
165  - "Credential Phishing"
166  - "Malware/Ransomware"
167detection_methods:
168  - "Content analysis"
169  - "Header analysis"
170  - "URL analysis"
171  - "Computer Vision"
172tactics_and_techniques:
173  - "Impersonation: Brand"
174  - "Social engineering"
175id: "b424a941-2623-50f5-a3be-e90130e538d2"
to-top