Google Drive direct download link from unsolicited sender

calendar Mar 5, 2025 · Attack surface reduction  ·
Share on: linkedin copy

This rule detects Google Drive links that use the direct download URL pattern which automatically downloads files when clicked. This pattern is frequently used by threat actors to distribute malware.

The links are formatted like: drive.google.com/uc?id=FILE_ID&export=download

These links skip the preview page and immediately download the file to the user's device, which can be dangerous for recipients. Threat actors exploit this pattern to directly distribute malware while appearing to share legitimate content from a trusted service.

Sublime rule (View on GitHub)

 1name: "Google Drive direct download link from unsolicited sender"
 2description: |
 3  This rule detects Google Drive links that use the direct download URL pattern which automatically downloads files when clicked. This pattern is frequently used by threat actors to distribute malware.
 4  
 5  The links are formatted like: drive.google.com/uc?id=FILE_ID&export=download
 6  
 7  These links skip the preview page and immediately download the file to the user's device, which can be dangerous for recipients. Threat actors exploit this pattern to directly distribute malware while appearing to share legitimate content from a trusted service.  
 8type: "rule"
 9severity: "medium"
10source: |
11  type.inbound
12  and 0 < length(body.links) < 10
13  and any(body.links,
14          (
15            // Match Google Drive direct download links
16            strings.icontains(.href_url.url, "drive.google.com/uc") 
17            and (
18              strings.icontains(.href_url.url, "export=download")
19              or strings.icontains(.href_url.query_params, "export=download")
20            )
21          )
22  )
23  // negate highly trusted sender domains unless they fail DMARC authentication
24  and (
25    (
26      sender.email.domain.root_domain in $high_trust_sender_root_domains
27      and not headers.auth_summary.dmarc.pass
28    )
29    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
30  )
31  and (
32    // Only trigger on unsolicited senders
33    not profile.by_sender().solicited
34    or (
35      // Or senders with suspicious history
36      profile.by_sender().any_messages_malicious_or_spam
37      and not profile.by_sender().any_false_positives
38    )
39  )  
40
41tags:
42  - "Attack surface reduction"
43attack_types:
44  - "Malware/Ransomware"
45  - "Credential Phishing"
46tactics_and_techniques:
47  - "Evasion"
48  - "Social engineering"
49  - "Free file host"
50detection_methods:
51  - "URL analysis"
52  - "Sender analysis"
53  - "Content analysis"
54id: "78a19343-cfe7-5fd5-9816-dcb4293b705d"

Related rules

to-top