Open Redirect: Google domain with /url path and suspicious indicators

This rule examines messages containing image attachments that utilize Google's open redirect (google[.]com/url...). To enhance accuracy and minimize false positives, the rule conducts additional assessments for suspicious indicators, as indicated in the comments.

Sublime rule (View on GitHub)

 1name: "Open Redirect: Google domain with /url path and suspicious indicators"
 2description: |
 3  This rule examines messages containing image attachments that utilize Google's open redirect (google[.]com/url...). 
 4  To enhance accuracy and minimize false positives, the rule conducts additional assessments for suspicious indicators, as indicated in the comments.  
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9  // All attachments are images or 0 attachments
10  and (
11    (length(attachments) > 0 and all(attachments, .file_type in $file_types_images))
12    or length(attachments) == 0
13  )
14  and sender.email.domain.root_domain not in $org_domains
15  // negate auth'ed google messages
16  and not (
17    sender.email.domain.sld == "google"
18    and sender.email.local_part in ("googlealerts-noreply", "comments-noreply")
19    and headers.auth_summary.spf.pass
20    and headers.auth_summary.dmarc.pass
21  )
22  // not a reply
23  and (
24    length(headers.references) == 0
25    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
26  )
27  // With a Google Redirect
28  and any(body.links,
29          (
30            .href_url.domain.sld == "google"
31            and .href_url.path == "/url"
32            and regex.contains(.href_url.query_params, "hl=.{2}&q=http(s)?://")
33          )
34          or any(.href_url.rewrite.encoders, . == 'google_open_redirect')
35  )
36  and 2 of (
37    // Not a google logo
38    any(attachments,
39        .file_type in $file_types_images
40        and (
41          any(ml.logo_detect(.).brands, not strings.starts_with(.name, "Google"))
42          or any(ml.logo_detect(beta.message_screenshot()).brands,
43                 not strings.starts_with(.name, "Google")
44          )
45        )
46    ),
47    // Body analysis - NLU - Credential theft
48    (
49      any(ml.nlu_classifier(body.current_thread.text).intents,
50          .name == "cred_theft" and .confidence in~ ("medium", "high")
51      )
52    ),
53    // Image analysis - NLU - Credential theft language
54    (
55      any(attachments,
56          .file_type in $file_types_images
57          and any(file.explode(.),
58                  any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft")
59          )
60      )
61    ),
62    // Content analysis - Body - Urgency
63    (
64      any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
65    ),
66  
67    // White font is found in html raw
68    (
69      length(body.html.display_text) < 500
70      and regex.icontains(body.html.raw,
71                          '<div style="color: #fff(fff)?.[^<]+<\/div><\/div><\/body><\/html>$'
72      )
73    )
74  
75    // domains using .app matching this pattern observed abusing google's redirect
76    or regex.icontains(sender.email.domain.domain, '[a-z]{3,}\.\d{5,}[^\.]+\.app$')
77  )  
78attack_types:
79  - "Credential Phishing"
80tactics_and_techniques:
81  - "Evasion"
82  - "Open redirect"
83detection_methods:
84  - "Computer Vision"
85  - "Content analysis"
86  - "File analysis"
87  - "Header analysis"
88  - "Natural Language Understanding"
89  - "Optical Character Recognition"
90  - "Sender analysis"
91  - "URL analysis"
92  
93id: "fc5adf74-6a39-5285-9737-3539a0542313"
to-top