Brand impersonation: Google Drive fake file share
This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Google Drive fake file share"
2description: |
3 This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8
9 // Google Drive body content looks like this
10 and (
11 (
12 (
13 any([body.current_thread.text, body.plain.raw],
14 strings.ilike(.,
15 "*shared a file with you*",
16 "*shared with you*",
17 "*invited you to review*",
18 "*received a document*",
19 "*shared a document*",
20 "*shared a spreadsheet*",
21 "*shared this document*",
22 "*shared an item*",
23 "*received this email because you*",
24 "*shared a*with you*",
25 "*automated *mail from google*drive*",
26 "*added as an editor*",
27 "*invited you to edit*"
28 )
29 )
30 //
31 // This rule makes use of a beta feature and is subject to change without notice
32 // using the beta feature in custom rules is not suggested until it has been formally released
33 //
34 or strings.ilike(beta.ocr(file.message_screenshot()).text,
35 "*shared a file with you*",
36 "*shared with you*",
37 "*invited you to review*",
38 "*received a document*",
39 "*shared a document*",
40 "*shared a spreadsheet*",
41 "*shared this document*",
42 "*shared an item*",
43 "*received this email because you*",
44 "*shared a*with you*",
45 "*automated *mail from google*drive*",
46 "*added as an editor*",
47 "*invited you to edit*"
48 )
49 // suspicious subjects
50 or (
51 (
52 regex.icontains(subject.subject, 'shared \".*\" with you')
53 and sender.email.domain.root_domain != "dropbox.com"
54 )
55 // with Google Drive terminology in body content
56 and any([body.current_thread.text, body.plain.raw],
57 strings.ilike(.,
58 "*Google Drive*",
59 "*Google Doc*",
60 "*Google Sheet*",
61 "*Google Slide*"
62 )
63 )
64 )
65 )
66 and (
67 strings.ilike(subject.subject,
68 "*shared*",
69 "*updated*",
70 "*sign*",
71 "*review*"
72 )
73 or any(recipients.to,
74 strings.icontains(subject.subject, .email.domain.sld)
75 )
76 or strings.ilike(subject.subject, "*Docs*", "*Sheets*", "*Slides*")
77 or any(body.links,
78 strings.icontains(.display_text, "open document")
79 or strings.iends_with(.display_text, ".pdf")
80 )
81 or strings.ilike(sender.display_name, "*Google Drive*")
82 or subject.subject is null
83 or subject.subject == ""
84 or regex.icontains(body.current_thread.text, '^g.o.o.g.l.e')
85 )
86 )
87 or any([
88 "Contigo", // Spanish
89 "Avec vous", // French
90 "Mit Ihnen", // German
91 "Con te", // Italian
92 "Com você", // Portuguese
93 "Met u", // Dutch
94 "С вами", // Russian
95 "与你", // Chinese (Simplified)
96 "與您", // Chinese (Traditional)
97 "あなたと", // Japanese
98 "당신과", // Korean
99 "معك", // Arabic
100 "آپ کے ساتھ", // Urdu
101 "আপনার সাথে", // Bengali
102 "आपके साथ", // Hindi
103 "Sizinle", // Turkish // Azerbaijani
104 "Med dig", // Swedish
105 "Z tobą", // Polish
106 "З вами", // Ukrainian
107 "Önnel", // Hungarian
108 "Μαζί σας", // Greek
109 "איתך", // Hebrew
110 "กับคุณ", // Thai
111 "Với bạn", // Vietnamese
112 "Dengan Anda", // Indonesian // Malay
113 "Nawe", // Swahili
114 "Cu dumneavoastră", // Romanian
115 "S vámi", // Czech
116 "Med deg", // Norwegian
117 "S vami", // Slovak
118 "Med dig", // Danish
119 "Amb vostè", // Catalan
120 "Teiega", // Estonian
121 "S vama", // Serbian
122 ],
123 strings.icontains(subject.subject, .)
124 )
125 )
126
127 // contains logic that impersonates Google
128 and (
129 any(ml.logo_detect(file.message_screenshot()).brands,
130 strings.starts_with(.name, "Google")
131 )
132 // Google Drive share box formatting
133 or strings.icontains(body.html.raw,
134 '<table style="width:100%; border:1px solid #dadce0; border-radius:6px; border-spacing:0; border-collapse:separate; table-layout:fixed" role="presentation">'
135 )
136 or any(attachments,
137 .file_type in $file_types_images
138 and (
139 any(ml.logo_detect(.).brands, strings.starts_with(.name, "Google"))
140 or strings.icontains(beta.ocr(.).text,
141 strings.concat("You have received this email because ",
142 sender.email.email,
143 " shared a document with you"
144 )
145 )
146 or strings.icontains(beta.ocr(.).text,
147 strings.concat("You have received this email because ",
148 sender.email.email,
149 " received a file or folder"
150 )
151 )
152 or any(recipients.to,
153 strings.icontains(beta.ocr(..).text,
154 strings.concat("You have received this email because ",
155 .email.email,
156 " shared a document with you"
157 )
158 )
159 )
160 or any(recipients.to,
161 strings.icontains(beta.ocr(..).text,
162 strings.concat("You have received this email because ",
163 .email.email,
164 " received a file or folder"
165 )
166 )
167 )
168 or strings.icontains(beta.ocr(.).text,
169 strings.concat(sender.display_name,
170 " (",
171 sender.email.email,
172 ") ",
173 "shared"
174 )
175 )
176 )
177 )
178 or strings.icontains(body.current_thread.text,
179 strings.concat("You have received this email because ",
180 sender.email.email,
181 " shared a document with you"
182 )
183 )
184 or strings.icontains(body.current_thread.text,
185 strings.concat("You have received this email because ",
186 sender.email.email,
187 " received a file or folder"
188 )
189 )
190 or any(recipients.to,
191 strings.icontains(body.current_thread.text,
192 strings.concat("You have received this email because ",
193 .email.email,
194 " shared a document with you"
195 )
196 )
197 )
198 or any(recipients.to,
199 strings.icontains(body.current_thread.text,
200 strings.concat("You have received this email because ",
201 .email.email,
202 " received a file or folder"
203 )
204 )
205 )
206 or strings.icontains(body.current_thread.text,
207 strings.concat(sender.display_name,
208 " (",
209 sender.email.email,
210 ") ",
211 "shared"
212 )
213 )
214 // Google address from footer
215 or 2 of (
216 strings.icontains(body.current_thread.text, 'Google LLC'),
217 strings.icontains(body.current_thread.text, '1600 Amphitheatre Parkway'),
218 strings.icontains(body.current_thread.text, 'Mountain View, CA 94043'),
219 )
220 )
221 and not (
222 // Google Sites has been observed abused
223 all(body.links,
224 .href_url.domain.root_domain in ("google.com")
225 // allow for matches against sites.google.com, which has been observed being abused
226 and .href_url.domain.domain != "sites.google.com"
227 )
228 )
229 and sender.email.domain.root_domain not in $org_domains
230 and sender.email.domain.root_domain not in ("google.com")
231 and not (
232 all(headers.references, strings.ends_with(., '@docs-share.google.com'))
233 and headers.return_path.domain.domain == "doclist.bounces.google.com"
234 )
235 // negate first threads that are a legitimate Google Drive share
236 and not (
237 length(body.previous_threads) != 0
238 and length(body.previous_threads[length(body.previous_threads) - 1].links) != 0
239 and all(body.previous_threads[length(body.previous_threads) - 1].links,
240 .href_url.domain.root_domain == "google.com"
241 )
242 )
243
244 // negate highly trusted sender domains unless they fail DMARC authentication
245 and (
246 (
247 sender.email.domain.root_domain in $high_trust_sender_root_domains
248 and not headers.auth_summary.dmarc.pass
249 )
250 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
251 )
252 and (
253 profile.by_sender().solicited == false
254 or profile.by_sender_email().prevalence == "new"
255 or (
256 profile.by_sender().any_messages_malicious_or_spam
257 and not profile.by_sender().any_messages_benign
258 )
259 )
260 and not profile.by_sender().any_messages_benign
261attack_types:
262 - "Credential Phishing"
263 - "Malware/Ransomware"
264detection_methods:
265 - "Content analysis"
266 - "Header analysis"
267 - "URL analysis"
268 - "Computer Vision"
269tactics_and_techniques:
270 - "Impersonation: Brand"
271 - "Social engineering"
272id: "b424a941-2623-50f5-a3be-e90130e538d2"