Brand impersonation: Google fake sign-in warning

 1name: "Brand impersonation: Google fake sign-in warning"
 2description: |
 3    Detects messages with image attachments containing fake Google sign-in warnings with no links leading to Google sites.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and length(body.links) > 0
 9
10  // Google Logo in Attachment
11  and any(attachments,
12          .file_type in $file_types_images and any(ml.logo_detect(.).brands, .name in ("Google"))
13  )
14  and any(attachments,
15          .file_type in $file_types_images
16          and (
17            any(file.explode(.),
18                // Fake activity warning
19                3 of (
20                  strings.ilike(.scan.ocr.raw, "*new sign-in*"),
21                  strings.ilike(.scan.ocr.raw, "*google account*"),
22                  strings.ilike(.scan.ocr.raw, "*secure your account*"),
23                  strings.ilike(.scan.ocr.raw, "*check activity*"),
24                )
25            )
26          )
27  )
28
29  // legitimate sign-in warnings contains links to google, gmail or googleapis.com
30  and (
31    not all(body.links,
32            .href_url.domain.root_domain in ("google.com", "gmail.com", "googleapis.com")
33            or .href_url.domain.root_domain is null
34    )
35  )
36  and sender.email.domain.root_domain not in $org_domains
37  and sender.email.domain.root_domain != "google.com"  
38attack_types:
39  - "Credential Phishing"
40tactics_and_techniques:
41  - "Impersonation: Brand"
42  - "Social engineering"
43detection_methods:
44  - "Computer Vision"
45  - "File analysis"
46  - "Optical Character Recognition"
47  - "Sender analysis"
48  - "URL analysis"
49id: "2d998eee-476b-5f9c-a244-3c11f79138dd"