Link: Google Translate (unsolicited)
Attackers have used the Google Translate service to deliver links to malicious sites repackaged with a translate.goog top-level domain. This rule identifies instances of Google Translate links from unsolicited senders.
Sublime rule (View on GitHub)
1name: "Link: Google Translate (unsolicited)"
2description: |
3 Attackers have used the Google Translate service to deliver links to malicious sites repackaged with a translate.goog top-level domain.
4 This rule identifies instances of Google Translate links from unsolicited senders.
5references:
6 - "https://www.kaspersky.com/blog/google-translate-scheme/46377/"
7type: "rule"
8authors:
9 - twitter: "ajpc500"
10severity: "low"
11source: |
12 type.inbound
13 and any(body.links, .href_url.domain.root_domain == "translate.goog")
14 and (
15 (
16 sender.email.domain.root_domain in $free_email_providers
17 and sender.email.email not in $recipient_emails
18 )
19 or (
20 sender.email.domain.root_domain not in $free_email_providers
21 and sender.email.domain.domain not in $recipient_domains
22 )
23 )
24tags:
25 - "Attack surface reduction"
26attack_types:
27 - "Credential Phishing"
28tactics_and_techniques:
29 - "Open redirect"
30detection_methods:
31 - "Sender analysis"
32 - "URL analysis"
33id: "6949e115-b806-56ea-8976-420bb9d47e5c"