Brand impersonation: Google fake sign-in warning

 1name: "Brand impersonation: Google fake sign-in warning"
 2description: |
 3    Detects messages with image attachments containing fake Google sign-in warnings with no links leading to Google sites.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and length(body.links) > 0
 9  
10  // Google Logo in Attachment
11  and any(attachments,
12          .file_type in $file_types_images
13          and any(ml.logo_detect(.).brands, .name in ("Google"))
14  )
15  and any(attachments,
16          .file_type in $file_types_images
17          and (
18            any(file.explode(.),
19                // Fake activity warning
20                3 of (
21                  strings.ilike(.scan.ocr.raw, "*new sign-in*"),
22                  strings.ilike(.scan.ocr.raw, "*google account*"),
23                  strings.ilike(.scan.ocr.raw, "*secure your account*"),
24                  strings.ilike(.scan.ocr.raw, "*check activity*"),
25                )
26            )
27          )
28  )
29  
30  // legitimate sign-in warnings contains links to google, gmail or googleapis.com
31  and (
32    not all(body.links,
33            .href_url.domain.root_domain in (
34              "google.com",
35              "gmail.com",
36              "googleapis.com"
37            )
38            or .href_url.domain.root_domain is null
39    )
40  )
41  and sender.email.domain.root_domain not in $org_domains
42  and sender.email.domain.root_domain != "google.com"  
43attack_types:
44  - "Credential Phishing"
45tactics_and_techniques:
46  - "Impersonation: Brand"
47  - "Social engineering"
48detection_methods:
49  - "Computer Vision"
50  - "File analysis"
51  - "Optical Character Recognition"
52  - "Sender analysis"
53  - "URL analysis"
54id: "2d998eee-476b-5f9c-a244-3c11f79138dd"