Link: Google Translate (unsolicited)

calendar Nov 14, 2023 · Attack surface reduction  ·
Share on: linkedin copy

Attackers have used the Google Translate service to deliver links to malicious sites repackaged with a translate.goog top-level domain. This rule identifies instances of Google Translate links from unsolicited senders.

Sublime rule (View on GitHub)

 1name: "Link: Google Translate (unsolicited)"
 2description: |
 3  Attackers have used the Google Translate service to deliver links to malicious sites repackaged with a translate.goog top-level domain.
 4  This rule identifies instances of Google Translate links from unsolicited senders.  
 5references:
 6  - "https://www.kaspersky.com/blog/google-translate-scheme/46377/"
 7type: "rule"
 8authors:
 9  - twitter: "ajpc500"
10severity: "low"
11source: |
12  type.inbound
13  and any(body.links, "google_translate_open_redirect" in .href_url.rewrite.encoders)
14  and (
15    not profile.by_sender().solicited
16    or profile.by_sender().any_messages_malicious_or_spam
17  )
18
19  and not profile.by_sender().any_false_positives  
20tags:
21  - "Attack surface reduction"
22attack_types:
23  - "Credential Phishing"
24tactics_and_techniques:
25  - "Open redirect"
26detection_methods:
27  - "Sender analysis"
28  - "URL analysis"
29id: "6949e115-b806-56ea-8976-420bb9d47e5c"

Related rules

to-top