Link to Google Apps Script macro via Comment Tagging
Message contains a Google Apps Script macro link invoked from a comment on Google Slides|Docs. App Scripts can run arbitrary code, including redirecting the user to a malicious web page.
Sublime rule (View on GitHub)
1name: "Link to Google Apps Script macro via Comment Tagging"
2description: |
3 Message contains a Google Apps Script macro link invoked from a comment on Google Slides|Docs.
4 App Scripts can run arbitrary code, including redirecting the user to a malicious web page.
5references:
6 - "https://twitter.com/bunnymaid/status/1415478829162762240"
7 - "https://playground.sublimesecurity.com?id=de1a2916-3812-4caa-a443-d1986487d772"
8type: "rule"
9severity: "medium"
10source: |
11 type.inbound
12 and regex.contains(sender.display_name, '\(Google (Slides|Docs)')
13 and any(body.links,
14 .href_url.domain.domain == "script.google.com" and strings.ilike(.href_url.path, "/macros*")
15 )
16 and 1 of (
17 strings.ilike(body.plain.raw, '*you have ? hours*'),
18 strings.ilike(body.plain.raw, '*transfer of funds*'),
19 strings.ilike(body.plain.raw, '*order your funds*')
20 // Or the Sender Display Name is not in your Org Display Names
21 or not any($org_display_names,
22 strings.istarts_with(sender.display_name, strings.concat(., " (Google "))
23 )
24 )
25attack_types:
26 - "Credential Phishing"
27 - "Malware/Ransomware"
28tactics_and_techniques:
29 - "Social engineering"
30detection_methods:
31 - "Content analysis"
32 - "Sender analysis"
33 - "URL analysis"
34id: "66fecd30-4628-5e53-b3cb-5355a6741487"