Link: Google Translate (unsolicited)
Attackers have used the Google Translate service to deliver links to malicious sites repackaged with a translate.goog top-level domain. This rule identifies instances of Google Translate links from unsolicited senders.
Sublime rule (View on GitHub)
1name: "Link: Google Translate (unsolicited)"
2description: |
3 Attackers have used the Google Translate service to deliver links to malicious sites repackaged with a translate.goog top-level domain.
4 This rule identifies instances of Google Translate links from unsolicited senders.
5references:
6 - "https://www.kaspersky.com/blog/google-translate-scheme/46377/"
7type: "rule"
8authors:
9 - twitter: "ajpc500"
10severity: "low"
11source: |
12 type.inbound
13 and any(body.links,
14 "google_translate_open_redirect" in .href_url.rewrite.encoders
15 )
16 and (
17 not profile.by_sender().solicited
18 or profile.by_sender().any_messages_malicious_or_spam
19 )
20 and not profile.by_sender().any_messages_benign
21tags:
22 - "Attack surface reduction"
23attack_types:
24 - "Credential Phishing"
25tactics_and_techniques:
26 - "Open redirect"
27detection_methods:
28 - "Sender analysis"
29 - "URL analysis"
30id: "6949e115-b806-56ea-8976-420bb9d47e5c"