Brand impersonation: Google Workspace alert notification

calendar Dec 2, 2025  ·
Share on: linkedin copy

Detects messages impersonating Google Workspace alert notifications that use Google branding elements, workspace-specific terminology, and admin console references, but originate from non-Google domains and contain suspicious links.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Google Workspace alert notification"
  2description: "Detects messages impersonating Google Workspace alert notifications that use Google branding elements, workspace-specific terminology, and admin console references, but originate from non-Google domains and contain suspicious links."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  
  8  // Sender impersonates Google Workspace alerts but not from Google
  9  and (
 10    regex.icontains(sender.display_name,
 11                    '(?:workspace|google\s*workspace).*(?:alert|notification)'
 12    )
 13    or regex.icontains(sender.display_name,
 14                       '(?:alert|notification).*(?:workspace|google\s*workspace)'
 15    )
 16    or regex.icontains(sender.email.local_part,
 17                       'workspace.*(?:alert|notification)'
 18    )
 19    or regex.icontains(sender.email.local_part, 'google.*workspace')
 20  )
 21  and not (
 22    sender.email.domain.root_domain in~ (
 23      'google.com',
 24      'google.co.uk',
 25      'google.ca'
 26    )
 27    and headers.auth_summary.dmarc.pass
 28  )
 29
 30  // Negate legitimate Atlassian/Jira notifications that may contain Google Workspace content
 31  and not (
 32    sender.email.domain.root_domain in~ ('atlassian.net', 'atlassian.com')
 33    and headers.auth_summary.dmarc.pass
 34  )
 35
 36  // Negate legitimate Google alerts forwarded through mailing lists
 37  and not (
 38    any(headers.hops,
 39        any(.fields,
 40            .name in ('X-Original-Sender', 'X-Original-From')
 41            and strings.ends_with(.value, '@google.com')
 42        )
 43    )
 44  )
 45  
 46  // Exclude Google Voice/phone call notifications
 47  and not (
 48    regex.icontains(subject.subject,
 49                    '(?:phone\s*call|voice\s*mail|missed\s*call)'
 50    )
 51    or regex.icontains(body.current_thread.text, 'Google\s*Voice')
 52  )
 53  
 54  // Exclude forwarded messages
 55  and not subject.is_forward
 56  
 57  // Body contains Google Workspace impersonation patterns
 58  and (
 59    // Alert center call to action with various phishing subjects
 60    (
 61      regex.icontains(body.current_thread.text, 'alert\s*cent(?:er|re)')
 62      and (
 63        regex.icontains(subject.subject,
 64                        'spike\s+in\s+(?:user[- ]?reported\s+)?spam'
 65        )
 66        or regex.icontains(subject.subject,
 67                           '(?:security|admin|workspace)\s+alert'
 68        )
 69        or regex.icontains(subject.subject,
 70                           'suspicious\s+(?:activity|login|access)'
 71        )
 72      )
 73    )
 74    // Reply-to address spoofs Google Workspace alerts
 75    or any(headers.reply_to,
 76           .email.email == 'google-workspace-alerts-noreply@google.com'
 77    )
 78    // Google Workspace logo hotlinked from gstatic
 79    or (
 80      strings.icontains(body.html.raw,
 81                        'gstatic.com/apps/signup/resources/google-workspace-lockup.png'
 82      )
 83      or strings.icontains(body.html.raw,
 84                           'gstatic.com/apps/signup/resources/google-workspace-lockup.svg'
 85      )
 86      or strings.icontains(body.html.raw,
 87                           'gstatic.com/apps/signup/resources/google-workspace-lockup.jpg'
 88      )
 89    )
 90    // Google corporate address
 91    or (
 92      strings.icontains(body.current_thread.text, '1600 Amphitheatre Parkway')
 93      and strings.icontains(body.current_thread.text, 'Mountain View, CA')
 94    )
 95    // Admin recipient messaging patterns
 96    or regex.icontains(body.current_thread.text, 'designated\s+admin\s+recipient')
 97    or (
 98      regex.icontains(body.current_thread.text,
 99                      'Google\s+Workspace(?:\s*account)?'
100      )
101      and regex.icontains(body.current_thread.text,
102                          '(?:admin|administrator)\s+(?:console|recipient|account)'
103      )
104    )
105    // Alert details structure common in these phishing attempts
106    or (
107      regex.icontains(body.current_thread.text, 'alert\s+details\s+include')
108      and regex.icontains(body.current_thread.text,
109                          '(?:activity\s+date|total\s+(?:user\s+)?reports|severity)'
110      )
111    )
112  )
113  
114  // Contains links that are not to Google
115  and any(body.links,
116          not .href_url.domain.root_domain in~ (
117            'google.com',
118            'google.co.uk',
119            'google.ca',
120            'gstatic.com',
121            'googleusercontent.com',
122            'sendgrid.net'
123          )
124  )  
125
126attack_types:
127  - "Credential Phishing"
128tactics_and_techniques:
129  - "Impersonation: Brand"
130  - "Social engineering"
131  - "Lookalike domain"
132detection_methods:
133  - "Header analysis"
134  - "Content analysis"
135  - "Sender analysis"
136  - "URL analysis"
137id: "143ffbc4-15ba-535e-b9d6-ab2e2862abe9"
to-top