Google Share Notification with Suspicious Comments

calendar Nov 13, 2024  ·
Share on: linkedin copy

This detection rule matches on messages which contain suspicious language within the comments of a Google share notification. Suspicious content within the comments section of the notification is deemed as email abbreviations such as FW:, FWD:, and RE: or by containing words that reference a file share.

Sublime rule (View on GitHub)

 1name: "Google Share Notification with Suspicious Comments"
 2description: "This detection rule matches on messages which contain suspicious language within the comments of a Google share notification.  Suspicious content within the comments section of the notification is deemed as email abbreviations such as FW:, FWD:, and RE: or by containing words that reference a file share."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and 
 8  // message is from google actual
 9  sender.email.domain.domain == 'google.com'
10  and (
11    sender.email.local_part == "drive-shares-noreply"
12    or sender.email.local_part == "drive-shares-dm-noreply"
13  )
14  // contains a comment
15  and strings.icontains(body.html.raw,
16                        '<div style="margin-top:24px; color:#5F6368">'
17  )
18  // those comments contain what appears to be an email
19  and (
20    regex.icontains(body.html.raw,
21                    '</div>\s*<div style="margin-top:24px; color:#5F6368">\s*(?:RE|FWD?)\s*:'
22    )
23    // the comment contains wording that relates to sharing a file
24    // the list before being sent through regexp-assemble
25    //   "request to view", "shared a file",   "sent you a file",
26    //   "file access request", "view shared document",
27    //   "pending file request", "document shared", "view a file",
28    //   "file sent to you", "invited to view", "file access invite",
29    //   "click to view", "open shared file", "drive file request"
30    or regex.icontains(body.html.raw,
31                       '</div>\s*<div style="margin-top:24px; color:#5F6368">[^<]*(?:<[^\/][^<]*)*(?:file (?:access (?:request|invite)|sent to you)|(?:s(?:ent you|hared) a|open shared) file|d(?:rive file request|ocument shared)|(?:invited|request|click) to view|view (?:shared document|a file)|pending file request)[^<]*(?:<[^\/][^<]*)*</div>\s*</td>'
32    )
33  )
34  // not where the sender display name of the message is within org_display_names
35  and not (
36    // the message is from google actual
37    sender.email.email in (
38      'comments-noreply@docs.google.com',
39      'drive-shares-dm-noreply@google.com',
40      'drive-shares-noreply@google.com',
41      'calendar-notification@google.com'
42    )
43    and headers.auth_summary.dmarc.pass
44    // but the sender display name is within org_display_names
45    and (
46      any($org_display_names,
47          strings.istarts_with(sender.display_name,
48                               strings.concat(., " (via Google ")
49          )
50          or strings.istarts_with(sender.display_name,
51                                  strings.concat(., " (Google ")
52          )
53      )
54      or (
55        length(headers.reply_to) == 1
56        and all(headers.reply_to, .email.domain.domain in $org_domains)
57      )
58    )
59  )  
60attack_types:
61  - "Credential Phishing"
62tactics_and_techniques:
63  - "Impersonation: VIP"
64  - "Free file host"
65detection_methods:
66  - "HTML analysis"
67  - "Header analysis"
68  - "Sender analysis"
69  - "Content analysis"
70id: "c69c9924-33ed-564d-9ec3-5b3c5e1321c5"
to-top