Brand impersonation: Google Drive fake file share
This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Google Drive fake file share"
2description: |
3 This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8
9 // Google Drive body content looks like this
10 and (
11 (
12 (
13 any([body.current_thread.text, body.plain.raw],
14 strings.ilike(.,
15 "*shared a file with you*",
16 "*shared with you*",
17 "*invited you to review*",
18 "*received a document*",
19 "*shared a document*",
20 "*shared this document*",
21 "*shared an item*",
22 "*received this email because you*",
23 "*shared a*with you*"
24 )
25 )
26 or any(file.explode(file.message_screenshot()),
27 strings.ilike(.scan.ocr.raw,
28 "*shared a file with you*",
29 "*shared with you*",
30 "*invited you to review*",
31 "*received a document*",
32 "*shared a document*",
33 "*shared this document*",
34 "*shared an item*",
35 "*received this email because you*",
36 "*shared a*with you*"
37 )
38 )
39 )
40 and (
41 strings.ilike(subject.subject,
42 "*shared*",
43 "*updated*",
44 "*sign*",
45 "*review*"
46 )
47 or any(recipients.to, strings.icontains(subject.subject, .email.domain.sld))
48 or strings.ilike(subject.subject, "*Docs*", "*Sheets*", "*Slides*")
49 or any(body.links, strings.icontains(.display_text, "open document"))
50 or strings.ilike(sender.display_name, "*Google Drive*")
51 or subject.subject is null
52 or subject.subject == ""
53 )
54 )
55 or any([
56 "Contigo", // Spanish
57 "Avec vous", // French
58 "Mit Ihnen", // German
59 "Con te", // Italian
60 "Com você", // Portuguese
61 "Met u", // Dutch
62 "С вами", // Russian
63 "与你", // Chinese (Simplified)
64 "與您", // Chinese (Traditional)
65 "あなたと", // Japanese
66 "당신과", // Korean
67 "معك", // Arabic
68 "آپ کے ساتھ", // Urdu
69 "আপনার সাথে", // Bengali
70 "आपके साथ", // Hindi
71 "Sizinle", // Turkish // Azerbaijani
72 "Med dig", // Swedish
73 "Z tobą", // Polish
74 "З вами", // Ukrainian
75 "Önnel", // Hungarian
76 "Μαζί σας", // Greek
77 "איתך", // Hebrew
78 "กับคุณ", // Thai
79 "Với bạn", // Vietnamese
80 "Dengan Anda", // Indonesian // Malay
81 "Nawe", // Swahili
82 "Cu dumneavoastră", // Romanian
83 "S vámi", // Czech
84 "Med deg", // Norwegian
85 "S vami", // Slovak
86 "Med dig", // Danish
87 "Amb vostè", // Catalan
88 "Teiega", // Estonian
89 "S vama", // Serbian
90 ],
91 strings.icontains(subject.subject, .)
92 )
93 )
94
95 // contains logic that impersonates Google
96 and (
97 any(ml.logo_detect(file.message_screenshot()).brands,
98 strings.starts_with(.name, "Google")
99 )
100 or any(attachments,
101 .file_type in $file_types_images
102 and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Google"))
103 )
104 or strings.icontains(body.current_thread.text,
105 strings.concat("You have received this email because ",
106 sender.email.email,
107 " shared a document with you"
108 )
109 )
110 or strings.icontains(body.current_thread.text,
111 strings.concat("You have received this email because ",
112 sender.email.email,
113 " received a file or folder"
114 )
115 )
116 or any(recipients.to,
117 strings.icontains(body.current_thread.text,
118 strings.concat("You have received this email because ",
119 .email.email,
120 " shared a document with you"
121 )
122 )
123 )
124 or any(recipients.to,
125 strings.icontains(body.current_thread.text,
126 strings.concat("You have received this email because ",
127 .email.email,
128 " received a file or folder"
129 )
130 )
131 )
132 // Google address from footer
133 or 2 of (
134 strings.icontains(body.current_thread.text, 'Google LLC'),
135 strings.icontains(body.current_thread.text, '1600 Amphitheatre Parkway'),
136 strings.icontains(body.current_thread.text, 'Mountain View, CA 94043'),
137 )
138 )
139 and not all(body.links, .href_url.domain.root_domain in ("google.com"))
140 and sender.email.domain.root_domain not in $org_domains
141 and sender.email.domain.root_domain not in ("google.com")
142 and not (
143 all(headers.references, strings.ends_with(., '@docs-share.google.com'))
144 and headers.return_path.domain.domain == "doclist.bounces.google.com"
145 )
146
147 // negate highly trusted sender domains unless they fail DMARC authentication
148 and (
149 (
150 sender.email.domain.root_domain in $high_trust_sender_root_domains
151 and not headers.auth_summary.dmarc.pass
152 )
153 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
154 )
155 and (
156 profile.by_sender().solicited == false
157 or profile.by_sender_email().prevalence == "new"
158 or (
159 profile.by_sender().any_messages_malicious_or_spam
160 and not profile.by_sender().any_messages_benign
161 )
162 )
163 and not profile.by_sender().any_messages_benign
164attack_types:
165 - "Credential Phishing"
166 - "Malware/Ransomware"
167detection_methods:
168 - "Content analysis"
169 - "Header analysis"
170 - "URL analysis"
171 - "Computer Vision"
172tactics_and_techniques:
173 - "Impersonation: Brand"
174 - "Social engineering"
175id: "b424a941-2623-50f5-a3be-e90130e538d2"