Link to Google Apps Script macro (unsolicited)
Message contains a Google Apps Script macro link. App Scripts can run arbitrary code, including redirecting the user to a malicious web page.
Sublime rule (View on GitHub)
1name: "Link to Google Apps Script macro (unsolicited)"
2description: |
3 Message contains a Google Apps Script macro link. App Scripts can run
4 arbitrary code, including redirecting the user to a malicious web page.
5references:
6 - "https://twitter.com/bunnymaid/status/1415478829162762240"
7type: "rule"
8severity: "medium"
9source: |
10 type.inbound
11 and any(body.links,
12 .href_url.domain.domain == "script.google.com" and strings.ilike(.href_url.path, "/macros*")
13 )
14 and (
15 profile.by_sender().prevalence in ("new", "outlier")
16 or (
17 profile.by_sender().any_messages_malicious_or_spam
18 and not profile.by_sender().any_false_positives
19 )
20 )
21attack_types:
22 - "Credential Phishing"
23 - "Malware/Ransomware"
24tactics_and_techniques:
25 - "Open redirect"
26 - "Social engineering"
27detection_methods:
28 - "Sender analysis"
29 - "URL analysis"
30id: "d10146df-547f-5a89-8690-477283e3b1f7"