Link: Google Drawings link from new sender

calendar Mar 9, 2026  ·
Share on: linkedin copy

Detects messages containing Google Drawings links from previously unseen senders, which may indicate abuse of Google's drawing service for malicious content delivery.

Sublime rule (View on GitHub)

 1name: "Link: Google Drawings link from new sender"
 2description: "Detects messages containing Google Drawings links from previously unseen senders, which may indicate abuse of Google's drawing service for malicious content delivery."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // google drawings link
 8  and any(body.current_thread.links,
 9          .href_url.domain.domain == "docs.google.com"
10          and strings.istarts_with(.href_url.path, '/drawings')
11          and (
12            strings.icontains(.href_url.path, '/preview')
13            or any(ml.nlu_classifier(body.current_thread.text).intents,
14                   .name == "cred_theft" and .confidence != "low"
15            )
16          )
17  )
18  and profile.by_sender_email().prevalence == "new"  
19attack_types:
20  - "Credential Phishing"
21  - "BEC/Fraud"
22tactics_and_techniques:
23  - "Social engineering"
24detection_methods:
25  - "URL analysis"
26  - "Sender analysis"
27id: "fb91c892-c511-53ad-bc46-58ef23db95fb"
to-top