Google Presentation Open Redirect Phishing

calendar Jul 19, 2024  ·
Share on: linkedin copy

Detects emails containing links to Google Document Presentations that either have a single page with a single external link, have been removed for Terms of Service violations, or have been deleted.

Sublime rule (View on GitHub)

 1name: "Google Presentation Open Redirect Phishing"
 2description: "Detects emails containing links to Google Document Presentations that either have a single page with a single external link, have been removed for Terms of Service violations, or have been deleted."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          // body link is to a google doc presentation
 9          .href_url.domain.domain == "docs.google.com"
10          and strings.istarts_with(.href_url.path, '/presentation/')
11          and (
12            // and that presentation...
13            (
14              // contains a slingle link
15              length(ml.link_analysis(., mode="aggressive").final_dom.links) == 1
16              
17              // cannot be edited via link provided
18              and strings.contains(ml.link_analysis(., mode="aggressive").final_dom.raw,
19                                   'canEdit:  false'
20              )
21              
22              // and a single page
23              and strings.contains(ml.link_analysis(., mode="aggressive").final_dom.raw,
24                                   'slidePageCount:  1.0'
25              )
26              
27              // where we have links which have been written via a google open redirect
28              and any(ml.link_analysis(., mode="aggressive").final_dom.links,
29                      // links are not in thhe org_domains
30                      .href_url.domain.domain not in $org_domains
31                      and (
32                        (
33                          // don't include high rep domains
34                          .href_url.domain.domain not in $tranco_1m
35                          and .href_url.domain.domain not in $umbrella_1m
36                        )
37                        // if it's in Tranco or Umbrella, still include it if it's one of these
38                        or .href_url.domain.domain in $free_file_hosts
39                        or .href_url.domain.root_domain in $free_file_hosts
40                        or .href_url.domain.root_domain in $free_subdomain_hosts
41                        // or it's a url shortner
42                        or .href_url.domain.root_domain in $url_shorteners
43                      )
44                      // which have been "unrolled" by the google_open_redirect rule
45                      and any(.href_url.rewrite.encoders,
46                              . == "google_open_redirect"
47                      )
48              )
49            )
50            // or the presentation has been removed for violation of terms of service
51            or strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
52                                 "We're sorry. You can't access this item because it is in violation of our Terms of Service."
53            )
54          )
55  )  
56
57attack_types:
58  - "Credential Phishing"
59tactics_and_techniques:
60  - "Evasion"
61  - "Open redirect"
62  - "Social engineering"
63detection_methods:
64  - "URL analysis"
65  - "HTML analysis"
66id: "5d01ee3a-9426-5a8b-bde3-328d6780af6f"
to-top