Link to Google Apps Script macro via Comment Tagging

Message contains a Google Apps Script macro link invoked from a comment on Google Slides|Docs. App Scripts can run arbitrary code, including redirecting the user to a malicious web page.

Sublime rule (View on GitHub)

 1name: "Link to Google Apps Script macro via Comment Tagging"
 2description: |
 3  Message contains a Google Apps Script macro link invoked from a comment on Google Slides|Docs.
 4  App Scripts can run arbitrary code, including redirecting the user to a malicious web page.  
 5references:
 6  - "https://twitter.com/bunnymaid/status/1415478829162762240"
 7  - "https://playground.sublimesecurity.com?id=de1a2916-3812-4caa-a443-d1986487d772"
 8type: "rule"
 9severity: "medium"
10source: |
11  type.inbound
12  and regex.contains(sender.display_name, '\(Google (Slides|Docs)')
13  and any(body.links,
14          .href_url.domain.domain == "script.google.com" and strings.ilike(.href_url.path, "/macros*")
15  )
16  and 1 of (
17    strings.ilike(body.plain.raw, '*you have ? hours*'),
18    strings.ilike(body.plain.raw, '*transfer of funds*'),
19    strings.ilike(body.plain.raw, '*order your funds*')
20    // Or the Sender Display Name is not in your Org Display Names
21    or not any($org_display_names,
22               strings.istarts_with(sender.display_name, strings.concat(., " (Google "))
23    )
24  )  
25attack_types:
26  - "Credential Phishing"
27  - "Malware/Ransomware"
28tactics_and_techniques:
29  - "Social engineering"
30detection_methods:
31  - "Content analysis"
32  - "Sender analysis"
33  - "URL analysis"
34id: "66fecd30-4628-5e53-b3cb-5355a6741487"
to-top