Link: Google Forms link with credential theft language
Detects messages containing Google Forms links paired with credential theft language from new senders. This technique abuses Google's trusted domain to host malicious forms designed to steal user credentials.
Sublime rule (View on GitHub)
1name: "Link: Google Forms link with credential theft language"
2description: "Detects messages containing Google Forms links paired with credential theft language from new senders. This technique abuses Google's trusted domain to host malicious forms designed to steal user credentials."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // cred_theft intent
8 and any(ml.nlu_classifier(body.current_thread.text).intents,
9 .name == "cred_theft" and .confidence != "low"
10 )
11 // google form link
12 and any(body.current_thread.links,
13 .href_url.domain.domain == "docs.google.com"
14 and strings.istarts_with(.href_url.path, '/form')
15 )
16 // new sender
17 and profile.by_sender_email().prevalence == "new"
18
19tags:
20 - "Attack surface reduction"
21attack_types:
22 - "Credential Phishing"
23tactics_and_techniques:
24 - "Social engineering"
25detection_methods:
26 - "Natural Language Understanding"
27 - "Sender analysis"
28 - "URL analysis"
29id: "0cad40e2-dfe8-5d95-b611-b963a0918f61"