Google Share Notification with Suspicious Comments
This detection rule matches on messages which contain suspicious language within the comments of a Google share notification. Suspicious content within the comments section of the notification is deemed as email abbreviations such as FW:, FWD:, and RE: or by containing words that reference a file share.
Sublime rule (View on GitHub)
1name: "Google Share Notification with Suspicious Comments"
2description: "This detection rule matches on messages which contain suspicious language within the comments of a Google share notification. Suspicious content within the comments section of the notification is deemed as email abbreviations such as FW:, FWD:, and RE: or by containing words that reference a file share."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound and
7 // message is from google actual
8 sender.email.domain.domain == 'google.com'
9 and (
10 sender.email.local_part == "drive-shares-noreply"
11 or sender.email.local_part == "drive-shares-dm-noreply"
12 )
13 // contains a comment
14 and strings.icontains(body.html.raw,
15 '<div style="margin-top:24px; color:#5F6368">'
16 )
17 // those comments contain what appears to be an email
18 and (
19 regex.icontains(body.html.raw,
20 '</div>\s*<div style="margin-top:24px; color:#5F6368">\s*(?:RE|FWD?)\s*:'
21 )
22 // the comment contains wording that relates to sharing a file
23 // the list before being sent through regexp-assemble
24 // "request to view", "shared a file", "sent you a file",
25 // "file access request", "view shared document",
26 // "pending file request", "document shared", "view a file",
27 // "file sent to you", "invited to view", "file access invite",
28 // "click to view", "open shared file", "drive file request"
29 or regex.icontains(body.html.raw,
30 '</div>\s*<div style="margin-top:24px; color:#5F6368">[^<]*(?:<[^\/][^<]*)*(?:file (?:access (?:request|invite)|sent to you)|(?:s(?:ent you|hared) a|open shared) file|d(?:rive file request|ocument shared)|(?:invited|request|click) to view|view (?:shared document|a file)|pending file request)[^<]*(?:<[^\/][^<]*)*</div>\s*</td>'
31 )
32 )
33 // not where the sender display name of the message is within org_display_names
34 and not (
35 // the message is from google actual
36 sender.email.email in (
37 'comments-noreply@docs.google.com',
38 'drive-shares-dm-noreply@google.com',
39 'drive-shares-noreply@google.com',
40 'calendar-notification@google.com'
41 )
42 and headers.auth_summary.dmarc.pass
43 // but the sender display name is within org_display_names
44 and any($org_display_names,
45 strings.istarts_with(sender.display_name,
46 strings.concat(., " (via Google ")
47 )
48 or strings.istarts_with(sender.display_name,
49 strings.concat(., " (Google ")
50 )
51 )
52 )
53attack_types:
54 - "Credential Phishing"
55tactics_and_techniques:
56 - "Impersonation: VIP"
57 - "Free file host"
58detection_methods:
59 - "HTML analysis"
60 - "Header analysis"
61 - "Sender analysis"
62 - "Content analysis"
63id: "c69c9924-33ed-564d-9ec3-5b3c5e1321c5"