Brand impersonation: Google fake sign-in warning
Detects messages with image attachments containing fake Google sign-in warnings with no links leading to Google sites.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Google fake sign-in warning"
2description: |
3 Detects messages with image attachments containing fake Google sign-in warnings with no links leading to Google sites.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and length(body.links) > 0
9
10 // Google Logo in Attachment
11 and any(attachments,
12 .file_type in $file_types_images and any(ml.logo_detect(.).brands, .name in ("Google"))
13 )
14 and any(attachments,
15 .file_type in $file_types_images
16 and (
17 any(file.explode(.),
18 // Fake activity warning
19 3 of (
20 strings.ilike(.scan.ocr.raw, "*new sign-in*"),
21 strings.ilike(.scan.ocr.raw, "*google account*"),
22 strings.ilike(.scan.ocr.raw, "*secure your account*"),
23 strings.ilike(.scan.ocr.raw, "*check activity*"),
24 )
25 )
26 )
27 )
28
29 // legitimate sign-in warnings contains links to google, gmail or googleapis.com
30 and (
31 not all(body.links,
32 .href_url.domain.root_domain in ("google.com", "gmail.com", "googleapis.com")
33 or .href_url.domain.root_domain is null
34 )
35 )
36 and sender.email.domain.root_domain not in $org_domains
37 and sender.email.domain.root_domain != "google.com"
38attack_types:
39 - "Credential Phishing"
40tactics_and_techniques:
41 - "Impersonation: Brand"
42 - "Social engineering"
43detection_methods:
44 - "Computer Vision"
45 - "File analysis"
46 - "Optical Character Recognition"
47 - "Sender analysis"
48 - "URL analysis"
49id: "2d998eee-476b-5f9c-a244-3c11f79138dd"