Brand impersonation: Google Drive fake file share
This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Google Drive fake file share"
2description: |
3 This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8
9 // Google Drive body content looks like this
10 and (
11 (
12 (
13 any([body.current_thread.text, body.plain.raw],
14 strings.ilike(.,
15 "*shared a file with you*",
16 "*shared with you*",
17 "*invited you to review*",
18 "*received a document*",
19 "*shared a document*",
20 "*shared a spreadsheet*",
21 "*shared this document*",
22 "*shared an item*",
23 "*received this email because you*",
24 "*shared a*with you*",
25 "*automated *mail from google*drive*",
26 "*added as an editor*",
27 "*invited you to edit*"
28 )
29 )
30 //
31 // This rule makes use of a beta feature and is subject to change without notice
32 // using the beta feature in custom rules is not suggested until it has been formally released
33 //
34 or strings.ilike(beta.ocr(file.message_screenshot()).text,
35 "*shared a file with you*",
36 "*shared with you*",
37 "*invited you to review*",
38 "*received a document*",
39 "*shared a document*",
40 "*shared a spreadsheet*",
41 "*shared this document*",
42 "*shared an item*",
43 "*received this email because you*",
44 "*shared a*with you*",
45 "*automated *mail from google*drive*",
46 "*added as an editor*",
47 "*invited you to edit*"
48 )
49 // suspicious subjects
50 or (
51 (
52 regex.icontains(subject.subject, 'shared \".*\" with you')
53 and sender.email.domain.root_domain != "dropbox.com"
54 )
55 // with Google Drive terminology in body content
56 and any([body.current_thread.text, body.plain.raw],
57 strings.ilike(.,
58 "*Google Drive*",
59 "*Google Doc*",
60 "*Google Sheet*",
61 "*Google Slide*"
62 )
63 )
64 )
65 )
66 and (
67 strings.ilike(subject.subject,
68 "*shared*",
69 "*updated*",
70 "*sign*",
71 "*review*"
72 )
73 or (
74 any(recipients.to,
75 strings.icontains(subject.subject, .email.domain.sld)
76 or (
77 (.email.domain.valid == false)
78 and all(recipients.cc, .email.domain.valid == false)
79 )
80 )
81 or length(recipients.to) == 0
82 )
83 or strings.ilike(subject.subject, "*Docs*", "*Sheets*", "*Slides*")
84 or any(body.links,
85 strings.icontains(.display_text, "open document")
86 or strings.iends_with(.display_text, ".pdf")
87 or (
88 .display_text =~ "Open"
89 and network.whois(.href_url.domain).days_old < 365
90 )
91 or any(recipients.to,
92 strings.icontains(..display_text, .email.email)
93 or strings.icontains(..display_text, .email.local_part)
94 )
95 )
96 or strings.ilike(sender.display_name, "*Google Drive*")
97 or subject.subject is null
98 or subject.subject == ""
99 or regex.icontains(body.current_thread.text, '^g.o.o.g.l.e')
100 )
101 )
102 or any([
103 "Contigo", // Spanish
104 "Avec vous", // French
105 "Mit Ihnen", // German
106 "Con te", // Italian
107 "Com você", // Portuguese
108 "Met u", // Dutch
109 "С вами", // Russian
110 "与你", // Chinese (Simplified)
111 "與您", // Chinese (Traditional)
112 "あなたと", // Japanese
113 "당신과", // Korean
114 "معك", // Arabic
115 "آپ کے ساتھ", // Urdu
116 "আপনার সাথে", // Bengali
117 "आपके साथ", // Hindi
118 "Sizinle", // Turkish // Azerbaijani
119 "Med dig", // Swedish
120 "Z tobą", // Polish
121 "З вами", // Ukrainian
122 "Önnel", // Hungarian
123 "Μαζί σας", // Greek
124 "איתך", // Hebrew
125 "กับคุณ", // Thai
126 "Với bạn", // Vietnamese
127 "Dengan Anda", // Indonesian // Malay
128 "Nawe", // Swahili
129 "Cu dumneavoastră", // Romanian
130 "S vámi", // Czech
131 "Med deg", // Norwegian
132 "S vami", // Slovak
133 "Med dig", // Danish
134 "Amb vostè", // Catalan
135 "Teiega", // Estonian
136 "S vama", // Serbian
137 ],
138 strings.icontains(subject.subject, .)
139 )
140 )
141
142 // contains logic that impersonates Google
143 and (
144 any(ml.logo_detect(file.message_screenshot()).brands,
145 strings.starts_with(.name, "Google")
146 )
147 // Google Drive share box formatting
148 or strings.icontains(body.html.raw,
149 '<table style="width:100%; border:1px solid #dadce0; border-radius:6px; border-spacing:0; border-collapse:separate; table-layout:fixed" role="presentation">'
150 )
151 or any(attachments,
152 .file_type in $file_types_images
153 and (
154 any(ml.logo_detect(.).brands, strings.starts_with(.name, "Google"))
155 or strings.icontains(beta.ocr(.).text,
156 strings.concat("You have received this email because ",
157 sender.email.email,
158 " shared a document with you"
159 )
160 )
161 or strings.icontains(beta.ocr(.).text,
162 strings.concat("You have received this email because ",
163 sender.email.email,
164 " received a file or folder"
165 )
166 )
167 or any(recipients.to,
168 strings.icontains(beta.ocr(..).text,
169 strings.concat("You have received this email because ",
170 .email.email,
171 " shared a document with you"
172 )
173 )
174 )
175 or any(recipients.to,
176 strings.icontains(beta.ocr(..).text,
177 strings.concat("You have received this email because ",
178 .email.email,
179 " received a file or folder"
180 )
181 )
182 )
183 or strings.icontains(beta.ocr(.).text,
184 strings.concat(sender.display_name,
185 " (",
186 sender.email.email,
187 ") ",
188 "shared"
189 )
190 )
191 )
192 )
193 or strings.icontains(body.current_thread.text,
194 strings.concat("You have received this email because ",
195 sender.email.email,
196 " shared a document with you"
197 )
198 )
199 or strings.icontains(body.current_thread.text,
200 strings.concat("You have received this email because ",
201 sender.email.email,
202 " received a file or folder"
203 )
204 )
205 or any(recipients.to,
206 strings.icontains(body.current_thread.text,
207 strings.concat("You have received this email because ",
208 .email.email,
209 " shared a document with you"
210 )
211 )
212 )
213 or any(recipients.to,
214 strings.icontains(body.current_thread.text,
215 strings.concat("You have received this email because ",
216 .email.email,
217 " received a file or folder"
218 )
219 )
220 )
221 or strings.icontains(body.current_thread.text,
222 strings.concat(sender.display_name,
223 " (",
224 sender.email.email,
225 ") ",
226 "shared"
227 )
228 )
229 // Google address from footer
230 or 2 of (
231 strings.icontains(body.current_thread.text, 'Google LLC'),
232 strings.icontains(body.current_thread.text, '1600 Amphitheatre Parkway'),
233 strings.icontains(body.current_thread.text, 'Mountain View, CA 94043'),
234 )
235 )
236 and not (
237 // Google Sites has been observed abused
238 all(body.links,
239 .href_url.domain.root_domain in ("google.com")
240 // allow for matches against sites.google.com, which has been observed being abused
241 and .href_url.domain.domain != "sites.google.com"
242 )
243 )
244 and sender.email.domain.root_domain not in $org_domains
245 and sender.email.domain.root_domain not in ("google.com")
246 and not (
247 all(headers.references, strings.ends_with(., '@docs-share.google.com'))
248 and headers.return_path.domain.domain == "doclist.bounces.google.com"
249 )
250 // negate first threads that are a legitimate Google Drive share
251 and not (
252 length(body.previous_threads) != 0
253 and length(body.previous_threads[length(body.previous_threads) - 1].links) != 0
254 and all(body.previous_threads[length(body.previous_threads) - 1].links,
255 .href_url.domain.root_domain == "google.com"
256 )
257 )
258
259 // negate highly trusted sender domains unless they fail DMARC authentication
260 and (
261 (
262 sender.email.domain.root_domain in $high_trust_sender_root_domains
263 and not headers.auth_summary.dmarc.pass
264 )
265 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
266 )
267 and (
268 profile.by_sender().solicited == false
269 or profile.by_sender_email().prevalence == "new"
270 or (
271 profile.by_sender().any_messages_malicious_or_spam
272 and not profile.by_sender().any_messages_benign
273 )
274 )
275 and not profile.by_sender().any_messages_benign
276attack_types:
277 - "Credential Phishing"
278 - "Malware/Ransomware"
279detection_methods:
280 - "Content analysis"
281 - "Header analysis"
282 - "URL analysis"
283 - "Computer Vision"
284tactics_and_techniques:
285 - "Impersonation: Brand"
286 - "Social engineering"
287id: "b424a941-2623-50f5-a3be-e90130e538d2"