Brand impersonation: Google Drive fake file share
This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Google Drive fake file share"
2description: |
3 This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8
9 // Google Drive body content looks like this
10 and (
11 (
12 (
13 any([body.current_thread.text, body.plain.raw],
14 strings.ilike(.,
15 "*shared a file with you*",
16 "*shared with you*",
17 "*invited you to review*",
18 "*received a document*",
19 "*shared a document*",
20 "*shared a spreadsheet*",
21 "*shared this document*",
22 "*shared an item*",
23 "*received this email because you*",
24 "*shared a*with you*",
25 "*automated *mail from google*drive*",
26 "*added as an editor*",
27 "*invited you to edit*"
28 )
29 )
30 //
31 // This rule makes use of a beta feature and is subject to change without notice
32 // using the beta feature in custom rules is not suggested until it has been formally released
33 //
34 or strings.ilike(beta.ocr(file.message_screenshot()).text,
35 "*shared a file with you*",
36 "*shared with you*",
37 "*invited you to review*",
38 "*received a document*",
39 "*shared a document*",
40 "*shared a spreadsheet*",
41 "*shared this document*",
42 "*shared an item*",
43 "*received this email because you*",
44 "*shared a*with you*",
45 "*automated *mail from google*drive*",
46 "*added as an editor*",
47 "*invited you to edit*"
48 )
49 )
50 and (
51 strings.ilike(subject.subject,
52 "*shared*",
53 "*updated*",
54 "*sign*",
55 "*review*"
56 )
57 or any(recipients.to,
58 strings.icontains(subject.subject, .email.domain.sld)
59 )
60 or strings.ilike(subject.subject, "*Docs*", "*Sheets*", "*Slides*")
61 or any(body.links,
62 strings.icontains(.display_text, "open document")
63 or strings.iends_with(.display_text, ".pdf")
64 )
65 or strings.ilike(sender.display_name, "*Google Drive*")
66 or subject.subject is null
67 or subject.subject == ""
68 or regex.icontains(body.current_thread.text, '^g.o.o.g.l.e')
69 )
70 )
71 or any([
72 "Contigo", // Spanish
73 "Avec vous", // French
74 "Mit Ihnen", // German
75 "Con te", // Italian
76 "Com você", // Portuguese
77 "Met u", // Dutch
78 "С вами", // Russian
79 "与你", // Chinese (Simplified)
80 "與您", // Chinese (Traditional)
81 "あなたと", // Japanese
82 "당신과", // Korean
83 "معك", // Arabic
84 "آپ کے ساتھ", // Urdu
85 "আপনার সাথে", // Bengali
86 "आपके साथ", // Hindi
87 "Sizinle", // Turkish // Azerbaijani
88 "Med dig", // Swedish
89 "Z tobą", // Polish
90 "З вами", // Ukrainian
91 "Önnel", // Hungarian
92 "Μαζί σας", // Greek
93 "איתך", // Hebrew
94 "กับคุณ", // Thai
95 "Với bạn", // Vietnamese
96 "Dengan Anda", // Indonesian // Malay
97 "Nawe", // Swahili
98 "Cu dumneavoastră", // Romanian
99 "S vámi", // Czech
100 "Med deg", // Norwegian
101 "S vami", // Slovak
102 "Med dig", // Danish
103 "Amb vostè", // Catalan
104 "Teiega", // Estonian
105 "S vama", // Serbian
106 ],
107 strings.icontains(subject.subject, .)
108 )
109 )
110
111 // contains logic that impersonates Google
112 and (
113 any(ml.logo_detect(file.message_screenshot()).brands,
114 strings.starts_with(.name, "Google")
115 )
116 // Google Drive share box formatting
117 or strings.icontains(body.html.raw,
118 '<table style="width:100%; border:1px solid #dadce0; border-radius:6px; border-spacing:0; border-collapse:separate; table-layout:fixed" role="presentation">'
119 )
120 or any(attachments,
121 .file_type in $file_types_images
122 and (
123 any(ml.logo_detect(.).brands, strings.starts_with(.name, "Google"))
124 or strings.icontains(beta.ocr(.).text,
125 strings.concat("You have received this email because ",
126 sender.email.email,
127 " shared a document with you"
128 )
129 )
130 or strings.icontains(beta.ocr(.).text,
131 strings.concat("You have received this email because ",
132 sender.email.email,
133 " received a file or folder"
134 )
135 )
136 or any(recipients.to,
137 strings.icontains(beta.ocr(..).text,
138 strings.concat("You have received this email because ",
139 .email.email,
140 " shared a document with you"
141 )
142 )
143 )
144 or any(recipients.to,
145 strings.icontains(beta.ocr(..).text,
146 strings.concat("You have received this email because ",
147 .email.email,
148 " received a file or folder"
149 )
150 )
151 )
152 or strings.icontains(beta.ocr(.).text,
153 strings.concat(sender.display_name,
154 " (",
155 sender.email.email,
156 ") ",
157 "shared"
158 )
159 )
160 )
161 )
162 or strings.icontains(body.current_thread.text,
163 strings.concat("You have received this email because ",
164 sender.email.email,
165 " shared a document with you"
166 )
167 )
168 or strings.icontains(body.current_thread.text,
169 strings.concat("You have received this email because ",
170 sender.email.email,
171 " received a file or folder"
172 )
173 )
174 or any(recipients.to,
175 strings.icontains(body.current_thread.text,
176 strings.concat("You have received this email because ",
177 .email.email,
178 " shared a document with you"
179 )
180 )
181 )
182 or any(recipients.to,
183 strings.icontains(body.current_thread.text,
184 strings.concat("You have received this email because ",
185 .email.email,
186 " received a file or folder"
187 )
188 )
189 )
190 or strings.icontains(body.current_thread.text,
191 strings.concat(sender.display_name,
192 " (",
193 sender.email.email,
194 ") ",
195 "shared"
196 )
197 )
198 // Google address from footer
199 or 2 of (
200 strings.icontains(body.current_thread.text, 'Google LLC'),
201 strings.icontains(body.current_thread.text, '1600 Amphitheatre Parkway'),
202 strings.icontains(body.current_thread.text, 'Mountain View, CA 94043'),
203 )
204 )
205 and not all(body.links, .href_url.domain.root_domain in ("google.com"))
206 and sender.email.domain.root_domain not in $org_domains
207 and sender.email.domain.root_domain not in ("google.com")
208 and not (
209 all(headers.references, strings.ends_with(., '@docs-share.google.com'))
210 and headers.return_path.domain.domain == "doclist.bounces.google.com"
211 )
212 // negate first threads that are a legitimate Google Drive share
213 and not (
214 length(body.previous_threads) != 0
215 and length(body.previous_threads[length(body.previous_threads) - 1].links) != 0
216 and all(body.previous_threads[length(body.previous_threads) - 1].links,
217 .href_url.domain.root_domain == "google.com"
218 )
219 )
220
221 // negate highly trusted sender domains unless they fail DMARC authentication
222 and (
223 (
224 sender.email.domain.root_domain in $high_trust_sender_root_domains
225 and not headers.auth_summary.dmarc.pass
226 )
227 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
228 )
229 and (
230 profile.by_sender().solicited == false
231 or profile.by_sender_email().prevalence == "new"
232 or (
233 profile.by_sender().any_messages_malicious_or_spam
234 and not profile.by_sender().any_messages_benign
235 )
236 )
237 and not profile.by_sender().any_messages_benign
238attack_types:
239 - "Credential Phishing"
240 - "Malware/Ransomware"
241detection_methods:
242 - "Content analysis"
243 - "Header analysis"
244 - "URL analysis"
245 - "Computer Vision"
246tactics_and_techniques:
247 - "Impersonation: Brand"
248 - "Social engineering"
249id: "b424a941-2623-50f5-a3be-e90130e538d2"