Open Redirect: Google domain with /url path and suspicious indicators
This rule examines messages containing image attachments that utilize Google's open redirect (google[.]com/url...). To enhance accuracy and minimize false positives, the rule conducts additional assessments for suspicious indicators, as indicated in the comments.
Sublime rule (View on GitHub)
1name: "Open Redirect: Google domain with /url path and suspicious indicators"
2description: |
3 This rule examines messages containing image attachments that utilize Google's open redirect (google[.]com/url...).
4 To enhance accuracy and minimize false positives, the rule conducts additional assessments for suspicious indicators, as indicated in the comments.
5type: "rule"
6severity: "medium"
7source: |
8 type.inbound
9 // All attachments are images or 0 attachments
10 and (
11 (length(attachments) > 0 and all(attachments, .file_type in $file_types_images))
12 or length(attachments) == 0
13 )
14 and sender.email.domain.root_domain not in $org_domains
15 // negate auth'ed google messages
16 and not (
17 sender.email.domain.sld == "google"
18 and sender.email.local_part in ("googlealerts-noreply", "comments-noreply")
19 and headers.auth_summary.spf.pass
20 and headers.auth_summary.dmarc.pass
21 )
22 // not a reply
23 and (
24 length(headers.references) == 0
25 or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
26 )
27 // With a Google Redirect
28 and any(body.links,
29 (
30 .href_url.domain.sld == "google"
31 and .href_url.path == "/url"
32 and regex.contains(.href_url.query_params, "hl=.{2}&q=http(s)?://")
33 )
34 or any(.href_url.rewrite.encoders, . == 'google_open_redirect')
35 )
36 and 2 of (
37 // Not a google logo
38 any(attachments,
39 .file_type in $file_types_images
40 and (
41 any(ml.logo_detect(.).brands, not strings.starts_with(.name, "Google"))
42 or any(ml.logo_detect(beta.message_screenshot()).brands,
43 not strings.starts_with(.name, "Google")
44 )
45 )
46 ),
47 // Body analysis - NLU - Credential theft
48 (
49 any(ml.nlu_classifier(body.current_thread.text).intents,
50 .name == "cred_theft" and .confidence in~ ("medium", "high")
51 )
52 ),
53 // Image analysis - NLU - Credential theft language
54 (
55 any(attachments,
56 .file_type in $file_types_images
57 and any(file.explode(.),
58 any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft")
59 )
60 )
61 ),
62 // Content analysis - Body - Urgency
63 (
64 any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
65 ),
66
67 // White font is found in html raw
68 (
69 length(body.html.display_text) < 500
70 and regex.icontains(body.html.raw,
71 '<div style="color: #fff(fff)?.[^<]+<\/div><\/div><\/body><\/html>$'
72 )
73 )
74
75 // domains using .app matching this pattern observed abusing google's redirect
76 or regex.icontains(sender.email.domain.domain, '[a-z]{3,}\.\d{5,}[^\.]+\.app$')
77 )
78attack_types:
79 - "Credential Phishing"
80tactics_and_techniques:
81 - "Evasion"
82 - "Open redirect"
83detection_methods:
84 - "Computer Vision"
85 - "Content analysis"
86 - "File analysis"
87 - "Header analysis"
88 - "Natural Language Understanding"
89 - "Optical Character Recognition"
90 - "Sender analysis"
91 - "URL analysis"
92
93id: "fc5adf74-6a39-5285-9737-3539a0542313"