Brand impersonation: Google Drive fake file share
This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Google Drive fake file share"
2description: |
3 This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8
9 // Google Drive body content looks like this
10 and (
11 (
12 (
13 any([body.current_thread.text, body.plain.raw],
14 strings.ilike(.,
15 "*shared a file with you*",
16 "*shared with you*",
17 "*invited you to review*",
18 "*received a document*",
19 "*shared a document*",
20 "*shared this document*"
21 )
22 )
23 or any(file.explode(beta.message_screenshot()),
24 strings.ilike(.scan.ocr.raw,
25 "*shared a file with you*",
26 "*shared with you*",
27 "*invited you to review*",
28 "*received a document*",
29 "*shared a document*",
30 "*shared this document*"
31 )
32 )
33 )
34 and (
35 strings.ilike(subject.subject,
36 "*shared*",
37 "*updated*",
38 "*sign*",
39 "*review*"
40 )
41 or strings.ilike(subject.subject, "*Docs*", "*Sheets*", "*Slides*")
42 or any(body.links, strings.icontains(.display_text, "open document"))
43 or subject.subject is null
44 or subject.subject == ""
45 )
46 )
47 or any([
48 "Contigo", // Spanish
49 "Avec vous", // French
50 "Mit Ihnen", // German
51 "Con te", // Italian
52 "Com você", // Portuguese
53 "Met u", // Dutch
54 "С вами", // Russian
55 "与你", // Chinese (Simplified)
56 "與您", // Chinese (Traditional)
57 "あなたと", // Japanese
58 "당신과", // Korean
59 "معك", // Arabic
60 "آپ کے ساتھ", // Urdu
61 "আপনার সাথে", // Bengali
62 "आपके साथ", // Hindi
63 "Sizinle", // Turkish // Azerbaijani
64 "Med dig", // Swedish
65 "Z tobą", // Polish
66 "З вами", // Ukrainian
67 "Önnel", // Hungarian
68 "Μαζί σας", // Greek
69 "איתך", // Hebrew
70 "กับคุณ", // Thai
71 "Với bạn", // Vietnamese
72 "Dengan Anda", // Indonesian // Malay
73 "Nawe", // Swahili
74 "Cu dumneavoastră", // Romanian
75 "S vámi", // Czech
76 "Med deg", // Norwegian
77 "S vami", // Slovak
78 "Med dig", // Danish
79 "Amb vostè", // Catalan
80 "Teiega", // Estonian
81 "S vama", // Serbian
82 ],
83 strings.icontains(subject.subject, .)
84 )
85 )
86
87 // contains logic that impersonates Google
88 and (
89 any(ml.logo_detect(beta.message_screenshot()).brands,
90 strings.starts_with(.name, "Google")
91 )
92 or any(attachments,
93 .file_type in $file_types_images
94 and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Google"))
95 )
96 or (
97 strings.icontains(body.current_thread.text,
98 strings.concat("You have received this email because ",
99 sender.email.email,
100 " shared a document with you"
101 )
102 )
103 )
104 )
105 and not all(body.links, .href_url.domain.root_domain in ("google.com"))
106 and sender.email.domain.root_domain not in $org_domains
107 and sender.email.domain.root_domain not in ("google.com")
108 and not (
109 all(headers.references, strings.ends_with(., '@docs-share.google.com'))
110 and headers.return_path.domain.domain == "doclist.bounces.google.com"
111 )
112
113 // negate highly trusted sender domains unless they fail DMARC authentication
114 and (
115 (
116 sender.email.domain.root_domain in $high_trust_sender_root_domains
117 and not headers.auth_summary.dmarc.pass
118 )
119 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
120 )
121 and (
122 profile.by_sender().solicited == false
123 or profile.by_sender_email().prevalence == "new"
124 or (
125 profile.by_sender().any_messages_malicious_or_spam
126 and not profile.by_sender().any_false_positives
127 )
128 )
129 and not profile.by_sender().any_false_positives
130attack_types:
131 - "Credential Phishing"
132 - "Malware/Ransomware"
133detection_methods:
134 - "Content analysis"
135 - "Header analysis"
136 - "URL analysis"
137 - "Computer Vision"
138tactics_and_techniques:
139 - "Impersonation: Brand"
140 - "Social engineering"
141id: "b424a941-2623-50f5-a3be-e90130e538d2"