Link to Google Apps Script macro (unsolicited)

calendar Oct 4, 2023  ยท
Share on: linkedin copy

Message contains a Google Apps Script macro link. App Scripts can run arbitrary code, including redirecting the user to a malicious web page.

Sublime rule (View on GitHub)

 1name: "Link to Google Apps Script macro (unsolicited)"
 2description: |
 3  Message contains a Google Apps Script macro link. App Scripts can run 
 4  arbitrary code, including redirecting the user to a malicious web page.  
 5references:
 6  - "https://twitter.com/bunnymaid/status/1415478829162762240"
 7type: "rule"
 8severity: "medium"
 9source: |
10  type.inbound
11  and any(body.links,
12          .href_url.domain.domain == "script.google.com" and strings.ilike(.href_url.path, "/macros*")
13  )
14  and (
15    profile.by_sender().prevalence in ("new", "outlier")
16    or (
17      profile.by_sender().any_messages_malicious_or_spam
18      and not profile.by_sender().any_false_positives
19    )
20  )  
21attack_types:
22  - "Credential Phishing"
23  - "Malware/Ransomware"
24tactics_and_techniques:
25  - "Open redirect"
26  - "Social engineering"
27detection_methods:
28  - "Sender analysis"
29  - "URL analysis"
30id: "d10146df-547f-5a89-8690-477283e3b1f7"
to-top