Link to auto-downloaded file with Google Drive branding

 1name: "Link to auto-downloaded file with Google Drive branding"
 2description: |
 3    A link in the body of the email downloads a file from a site that uses Google Drive branding as employed by threat actors, such as Qakbot.
 4type: "rule"
 5references:
 6  - "https://delivr.to/payloads?id=ef39f124-6766-491c-a46c-00f2b60aa7a7"
 7  - "https://twitter.com/pr0xylife/status/1598016053787123713"
 8severity: "high"
 9source: |
10  type.inbound
11  and length(body.links) < 10
12  and any(body.links,
13          // This isn't a Google Drive link
14          .href_url.domain.root_domain != "google.com"
15          and 
16  
17          // There are files downloaded
18          length(ml.link_analysis(.).files_downloaded) > 0
19          and 
20  
21          // Google Drive branding
22          ml.link_analysis(.).credphish.brand.name == "GoogleDrive"
23          and ml.link_analysis(.).credphish.brand.confidence == "high"
24          and 
25  
26          // Hi from Qakbot
27          any(file.explode(ml.link_analysis(.).screenshot),
28              any([
29                    "the file is not displayed correctly",
30                    "use local downloaded file"
31                  ],
32                  strings.icontains(..scan.ocr.raw, .)
33              )
34          )
35  )
36  and (
37    not profile.by_sender().solicited
38    or (
39      profile.by_sender().any_messages_malicious_or_spam
40      and not profile.by_sender().any_messages_benign
41    )
42  )  
43tags:
44  - "Malfam: QakBot"
45attack_types:
46  - "Malware/Ransomware"
47tactics_and_techniques:
48  - "Impersonation: Brand"
49  - "Social engineering"
50detection_methods:
51  - "Content analysis"
52  - "File analysis"
53  - "Optical Character Recognition"
54  - "URL analysis"
55  - "URL screenshot"
56id: "4b5343be-9b10-58a3-8d14-a1bae1eebc62"