Brand impersonation: Google Drive fake file share
This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Google Drive fake file share"
2description: |
3 This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8
9 // Google Drive body content looks like this
10 and (
11 (
12 (
13 any([body.current_thread.text, body.plain.raw],
14 strings.ilike(.,
15 "*shared a file with you*",
16 "*shared with you*",
17 "*invited you to review*",
18 "*received a document*",
19 "*shared a document*",
20 "*shared this document*",
21 "*shared an item*",
22 "*received this email because you*"
23 )
24 )
25 or any(file.explode(beta.message_screenshot()),
26 strings.ilike(.scan.ocr.raw,
27 "*shared a file with you*",
28 "*shared with you*",
29 "*invited you to review*",
30 "*received a document*",
31 "*shared a document*",
32 "*shared this document*",
33 "*shared an item*",
34 "*received this email because you*"
35 )
36 )
37 )
38 and (
39 strings.ilike(subject.subject,
40 "*shared*",
41 "*updated*",
42 "*sign*",
43 "*review*"
44 )
45 or any(recipients.to, strings.icontains(subject.subject, .email.domain.sld))
46 or strings.ilike(subject.subject, "*Docs*", "*Sheets*", "*Slides*")
47 or any(body.links, strings.icontains(.display_text, "open document"))
48 or strings.ilike(sender.display_name, "*Google Drive*")
49 or subject.subject is null
50 or subject.subject == ""
51 )
52 )
53 or any([
54 "Contigo", // Spanish
55 "Avec vous", // French
56 "Mit Ihnen", // German
57 "Con te", // Italian
58 "Com você", // Portuguese
59 "Met u", // Dutch
60 "С вами", // Russian
61 "与你", // Chinese (Simplified)
62 "與您", // Chinese (Traditional)
63 "あなたと", // Japanese
64 "당신과", // Korean
65 "معك", // Arabic
66 "آپ کے ساتھ", // Urdu
67 "আপনার সাথে", // Bengali
68 "आपके साथ", // Hindi
69 "Sizinle", // Turkish // Azerbaijani
70 "Med dig", // Swedish
71 "Z tobą", // Polish
72 "З вами", // Ukrainian
73 "Önnel", // Hungarian
74 "Μαζί σας", // Greek
75 "איתך", // Hebrew
76 "กับคุณ", // Thai
77 "Với bạn", // Vietnamese
78 "Dengan Anda", // Indonesian // Malay
79 "Nawe", // Swahili
80 "Cu dumneavoastră", // Romanian
81 "S vámi", // Czech
82 "Med deg", // Norwegian
83 "S vami", // Slovak
84 "Med dig", // Danish
85 "Amb vostè", // Catalan
86 "Teiega", // Estonian
87 "S vama", // Serbian
88 ],
89 strings.icontains(subject.subject, .)
90 )
91 )
92
93 // contains logic that impersonates Google
94 and (
95 any(ml.logo_detect(beta.message_screenshot()).brands,
96 strings.starts_with(.name, "Google")
97 )
98 or any(attachments,
99 .file_type in $file_types_images
100 and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Google"))
101 )
102 or strings.icontains(body.current_thread.text,
103 strings.concat("You have received this email because ",
104 sender.email.email,
105 " shared a document with you"
106 )
107 )
108 or strings.icontains(body.current_thread.text,
109 strings.concat("You have received this email because ",
110 sender.email.email,
111 " received a file or folder"
112 )
113 )
114 or any(recipients.to,
115 strings.icontains(body.current_thread.text,
116 strings.concat("You have received this email because ",
117 .email.email,
118 " shared a document with you"
119 )
120 )
121 )
122 or any(recipients.to,
123 strings.icontains(body.current_thread.text,
124 strings.concat("You have received this email because ",
125 .email.email,
126 " received a file or folder"
127 )
128 )
129 )
130 // Google address from footer
131 or 2 of (
132 strings.icontains(body.current_thread.text, 'Google LLC'),
133 strings.icontains(body.current_thread.text, '1600 Amphitheatre Parkway'),
134 strings.icontains(body.current_thread.text, 'Mountain View, CA 94043'),
135 )
136 )
137 and not all(body.links, .href_url.domain.root_domain in ("google.com"))
138 and sender.email.domain.root_domain not in $org_domains
139 and sender.email.domain.root_domain not in ("google.com")
140 and not (
141 all(headers.references, strings.ends_with(., '@docs-share.google.com'))
142 and headers.return_path.domain.domain == "doclist.bounces.google.com"
143 )
144
145 // negate highly trusted sender domains unless they fail DMARC authentication
146 and (
147 (
148 sender.email.domain.root_domain in $high_trust_sender_root_domains
149 and not headers.auth_summary.dmarc.pass
150 )
151 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
152 )
153 and (
154 profile.by_sender().solicited == false
155 or profile.by_sender_email().prevalence == "new"
156 or (
157 profile.by_sender().any_messages_malicious_or_spam
158 and not profile.by_sender().any_false_positives
159 )
160 )
161 and not profile.by_sender().any_false_positives
162attack_types:
163 - "Credential Phishing"
164 - "Malware/Ransomware"
165detection_methods:
166 - "Content analysis"
167 - "Header analysis"
168 - "URL analysis"
169 - "Computer Vision"
170tactics_and_techniques:
171 - "Impersonation: Brand"
172 - "Social engineering"
173id: "b424a941-2623-50f5-a3be-e90130e538d2"