Google Accelerated Mobile Pages (AMP) abuse

This rule is designed to identify phishing attempts abusing Google AMP's URL structure for malicious activities. The rule aims to detect specific URL patterns, further analyzing both message content, as well as the destination of the link to distinguish between legitimate Google AMP pages and potential malicious usage.

Sublime rule (View on GitHub)

 1name: "Google Accelerated Mobile Pages (AMP) abuse"
 2description: |
 3  This rule is designed to identify phishing attempts abusing Google AMP's URL structure for malicious activities. 
 4  The rule aims to detect specific URL patterns, further analyzing both message content, as well as the destination of the link to distinguish
 5  between legitimate Google AMP pages and potential malicious usage.  
 6references:
 7  - "https://cofense.com/blog/google-amp-the-newest-of-evasive-phishing-tactic/"
 8type: "rule"
 9severity: "medium"
10source: |
11  type.inbound
12
13  // Any body links with a domain SLD of 'google' and a path starting with /amp
14  and any(body.links,
15          .href_url.domain.sld == "google"
16          and strings.starts_with(.href_url.path, "/amp/")
17
18          // Brand Logo detected that is not google
19          and (
20            any(ml.logo_detect(beta.message_screenshot()).brands,
21                .name is not null and .name != "Google"
22            )
23
24            // or the page has a login or captcha
25            or (
26              beta.linkanalysis(.).credphish.contains_login
27              or beta.linkanalysis(.).credphish.contains_captcha
28            )
29
30            // or linkanalysis concludes phishing of medium to high confidence
31            or any([beta.linkanalysis(.)],
32                   .credphish.disposition == "phishing"
33                   and .credphish.brand.confidence in ("medium", "high")
34            )
35
36            // or NLU detected cred theft on the landing page
37            or any(file.explode(beta.linkanalysis(.).screenshot),
38                   any(ml.nlu_classifier(.scan.ocr.raw).intents,
39                       .name == "cred_theft" and .confidence in ("medium", "high")
40                   )
41
42                   // captcha partially loaded
43                   or strings.icontains(.scan.ocr.raw, "Checking if the site connection is secure")
44            )
45
46            // or the link display text contains "password"
47            or strings.icontains(.display_text, "password")
48
49            // or the link contains the recipients email in the url path
50            or any(recipients.to, strings.icontains(..href_url.path, .email.email) and (.email.domain.valid or strings.icontains(.display_name, "undisclosed")))
51          )
52  )  
53attack_types:
54  - "Credential Phishing"
55  - "Malware/Ransomware"
56tactics_and_techniques:
57  - "Impersonation: Brand"
58  - "Open redirect"
59detection_methods:
60  - "Computer Vision"
61  - "Content analysis"
62  - "Natural Language Understanding"
63  - "Optical Character Recognition"
64  - "Sender analysis"
65  - "URL analysis"
66  - "URL screenshot"
67id: "46907029-ef83-50a8-9198-75af39dd5f3b"
to-top