Brand impersonation: Google Drive fake file share

This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Google Drive fake file share"
  2description: |
  3    This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
  4type: "rule"
  5severity: "medium"
  6source: |
  7  type.inbound
  8  
  9  // Google Drive body content looks like this
 10  and (
 11    (
 12      (
 13        any([body.current_thread.text, body.plain.raw],
 14            strings.ilike(.,
 15                          "*shared a file with you*",
 16                          "*shared with you*",
 17                          "*invited you to review*",
 18                          "*received a document*",
 19                          "*shared a document*",
 20                          "*shared a spreadsheet*",
 21                          "*shared this document*",
 22                          "*shared an item*",
 23                          "*received this email because you*",
 24                          "*shared a*with you*",
 25                          "*automated *mail from google*drive*",
 26                          "*added as an editor*",
 27                          "*invited you to edit*"
 28            )
 29        )
 30        //
 31        // This rule makes use of a beta feature and is subject to change without notice
 32        // using the beta feature in custom rules is not suggested until it has been formally released
 33        //
 34        or strings.ilike(beta.ocr(file.message_screenshot()).text,
 35                         "*shared a file with you*",
 36                         "*shared with you*",
 37                         "*invited you to review*",
 38                         "*received a document*",
 39                         "*shared a document*",
 40                         "*shared a spreadsheet*",
 41                         "*shared this document*",
 42                         "*shared an item*",
 43                         "*received this email because you*",
 44                         "*shared a*with you*",
 45                         "*automated *mail from google*drive*",
 46                         "*added as an editor*",
 47                         "*invited you to edit*"
 48        )
 49        // suspicious subjects
 50        or (
 51          (
 52            regex.icontains(subject.subject, 'shared \".*\" with you')
 53            and sender.email.domain.root_domain != "dropbox.com"
 54          )
 55          // with Google Drive terminology in body content
 56          and any([body.current_thread.text, body.plain.raw],
 57                  strings.ilike(.,
 58                                "*Google Drive*",
 59                                "*Google Doc*",
 60                                "*Google Sheet*",
 61                                "*Google Slide*"
 62                  )
 63          )
 64        )
 65      )
 66      and (
 67        strings.ilike(subject.subject,
 68                      "*shared*",
 69                      "*updated*",
 70                      "*sign*",
 71                      "*review*"
 72        )
 73        or (
 74          any(recipients.to,
 75              strings.icontains(subject.subject, .email.domain.sld)
 76              or (
 77                (.email.domain.valid == false)
 78                and all(recipients.cc, .email.domain.valid == false)
 79              )
 80          )
 81          or length(recipients.to) == 0
 82        )
 83        or strings.ilike(subject.subject, "*Docs*", "*Sheets*", "*Slides*")
 84        or any(body.links,
 85               strings.icontains(.display_text, "open document")
 86               or strings.iends_with(.display_text, ".pdf")
 87               or (
 88                 .display_text =~ "Open"
 89                 and network.whois(.href_url.domain).days_old < 365
 90               )
 91               or any(recipients.to,
 92                      strings.icontains(..display_text, .email.email)
 93                      or strings.icontains(..display_text, .email.local_part)
 94               )
 95        )
 96        or strings.ilike(sender.display_name, "*Google Drive*")
 97        or subject.subject is null
 98        or subject.subject == ""
 99        or regex.icontains(body.current_thread.text, '^g.o.o.g.l.e')
100      )
101    )
102    or any([
103             "Contigo", // Spanish
104             "Avec vous", // French
105             "Mit Ihnen", // German
106             "Con te", // Italian
107             "Com você", // Portuguese
108             "Met u", // Dutch
109             "С вами", // Russian
110             "与你", // Chinese (Simplified)
111             "與您", // Chinese (Traditional)
112             "あなたと", // Japanese
113             "당신과", // Korean
114             "معك", // Arabic
115             "آپ کے ساتھ", // Urdu
116             "আপনার সাথে", // Bengali
117             "आपके साथ", // Hindi
118             "Sizinle", // Turkish // Azerbaijani
119             "Med dig", // Swedish
120             "Z tobą", // Polish
121             "З вами", // Ukrainian
122             "Önnel", // Hungarian
123             "Μαζί σας", // Greek
124             "איתך", // Hebrew
125             "กับคุณ", // Thai
126             "Với bạn", // Vietnamese
127             "Dengan Anda", // Indonesian // Malay
128             "Nawe", // Swahili
129             "Cu dumneavoastră", // Romanian
130             "S vámi", // Czech
131             "Med deg", // Norwegian
132             "S vami", // Slovak
133             "Med dig", // Danish
134             "Amb vostè", // Catalan
135             "Teiega", // Estonian
136             "S vama", // Serbian
137           ],
138           strings.icontains(subject.subject, .)
139    )
140  )
141  
142  // contains logic that impersonates Google
143  and (
144    any(ml.logo_detect(file.message_screenshot()).brands,
145        strings.starts_with(.name, "Google")
146    )
147    // Google Drive share box formatting
148    or strings.icontains(body.html.raw,
149                         '<table style="width:100%; border:1px solid #dadce0; border-radius:6px; border-spacing:0; border-collapse:separate; table-layout:fixed" role="presentation">'
150    )
151    or any(attachments,
152           .file_type in $file_types_images
153           and (
154             any(ml.logo_detect(.).brands, strings.starts_with(.name, "Google"))
155             or strings.icontains(beta.ocr(.).text,
156                                  strings.concat("You have received this email because ",
157                                                 sender.email.email,
158                                                 " shared a document with you"
159                                  )
160             )
161             or strings.icontains(beta.ocr(.).text,
162                                  strings.concat("You have received this email because ",
163                                                 sender.email.email,
164                                                 " received a file or folder"
165                                  )
166             )
167             or any(recipients.to,
168                    strings.icontains(beta.ocr(..).text,
169                                      strings.concat("You have received this email because ",
170                                                     .email.email,
171                                                     " shared a document with you"
172                                      )
173                    )
174             )
175             or any(recipients.to,
176                    strings.icontains(beta.ocr(..).text,
177                                      strings.concat("You have received this email because ",
178                                                     .email.email,
179                                                     " received a file or folder"
180                                      )
181                    )
182             )
183             or strings.icontains(beta.ocr(.).text,
184                                  strings.concat(sender.display_name,
185                                                 " (",
186                                                 sender.email.email,
187                                                 ") ",
188                                                 "shared"
189                                  )
190             )
191           )
192    )
193    or strings.icontains(body.current_thread.text,
194                         strings.concat("You have received this email because ",
195                                        sender.email.email,
196                                        " shared a document with you"
197                         )
198    )
199    or strings.icontains(body.current_thread.text,
200                         strings.concat("You have received this email because ",
201                                        sender.email.email,
202                                        " received a file or folder"
203                         )
204    )
205    or any(recipients.to,
206           strings.icontains(body.current_thread.text,
207                             strings.concat("You have received this email because ",
208                                            .email.email,
209                                            " shared a document with you"
210                             )
211           )
212    )
213    or any(recipients.to,
214           strings.icontains(body.current_thread.text,
215                             strings.concat("You have received this email because ",
216                                            .email.email,
217                                            " received a file or folder"
218                             )
219           )
220    )
221    or strings.icontains(body.current_thread.text,
222                         strings.concat(sender.display_name,
223                                        " (",
224                                        sender.email.email,
225                                        ") ",
226                                        "shared"
227                         )
228    )
229    // Google address from footer
230    or 2 of (
231      strings.icontains(body.current_thread.text, 'Google LLC'),
232      strings.icontains(body.current_thread.text, '1600 Amphitheatre Parkway'),
233      strings.icontains(body.current_thread.text, 'Mountain View, CA 94043'),
234    )
235  )
236  and not (
237    // Google Sites has been observed abused
238    all(body.links,
239        .href_url.domain.root_domain in ("google.com")
240        // allow for matches against sites.google.com, which has been observed being abused
241        and .href_url.domain.domain != "sites.google.com"
242    )
243  )
244  and sender.email.domain.root_domain not in $org_domains
245  and sender.email.domain.root_domain not in ("google.com")
246  and not (
247    all(headers.references, strings.ends_with(., '@docs-share.google.com'))
248    and headers.return_path.domain.domain == "doclist.bounces.google.com"
249  )
250  // negate first threads that are a legitimate Google Drive share
251  and not (
252    length(body.previous_threads) != 0
253    and length(body.previous_threads[length(body.previous_threads) - 1].links) != 0
254    and all(body.previous_threads[length(body.previous_threads) - 1].links,
255            .href_url.domain.root_domain == "google.com"
256    )
257  )
258  
259  // negate highly trusted sender domains unless they fail DMARC authentication
260  and (
261    (
262      sender.email.domain.root_domain in $high_trust_sender_root_domains
263      and not headers.auth_summary.dmarc.pass
264    )
265    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
266  )
267  and (
268    profile.by_sender().solicited == false
269    or profile.by_sender_email().prevalence == "new"
270    or (
271      profile.by_sender().any_messages_malicious_or_spam
272      and not profile.by_sender().any_messages_benign
273    )
274  )
275  and not profile.by_sender().any_messages_benign  
276attack_types:
277  - "Credential Phishing"
278  - "Malware/Ransomware"
279detection_methods:
280  - "Content analysis"
281  - "Header analysis"
282  - "URL analysis"
283  - "Computer Vision"
284tactics_and_techniques:
285  - "Impersonation: Brand"
286  - "Social engineering"
287id: "b424a941-2623-50f5-a3be-e90130e538d2"
to-top