Link to auto-downloaded file with Google Drive branding
A link in the body of the email downloads a file from a site that uses Google Drive branding as employed by threat actors, such as Qakbot.
Sublime rule (View on GitHub)
1name: "Link to auto-downloaded file with Google Drive branding"
2description: |
3 A link in the body of the email downloads a file from a site that uses Google Drive branding as employed by threat actors, such as Qakbot.
4type: "rule"
5references:
6 - "https://delivr.to/payloads?id=ef39f124-6766-491c-a46c-00f2b60aa7a7"
7 - "https://twitter.com/pr0xylife/status/1598016053787123713"
8severity: "high"
9source: |
10 type.inbound
11 and length(body.links) < 10
12 and any(body.links,
13 // This isn't a Google Drive link
14 .href_url.domain.root_domain != "google.com"
15 and
16
17 // There are files downloaded
18 length(ml.link_analysis(.).files_downloaded) > 0
19 and
20
21 // Google Drive branding
22 ml.link_analysis(.).credphish.brand.name == "GoogleDrive"
23 and ml.link_analysis(.).credphish.brand.confidence == "high"
24 and
25
26 // Hi from Qakbot
27 any(file.explode(ml.link_analysis(.).screenshot),
28 any(["the file is not displayed correctly", "use local downloaded file"],
29 strings.icontains(..scan.ocr.raw, .)
30 )
31 )
32 )
33 and (
34 not profile.by_sender().solicited
35 or (
36 profile.by_sender().any_messages_malicious_or_spam
37 and not profile.by_sender().any_false_positives
38 )
39 )
40tags:
41 - "Malfam: QakBot"
42attack_types:
43 - "Malware/Ransomware"
44tactics_and_techniques:
45 - "Impersonation: Brand"
46 - "Social engineering"
47detection_methods:
48 - "Content analysis"
49 - "File analysis"
50 - "Optical Character Recognition"
51 - "URL analysis"
52 - "URL screenshot"
53id: "4b5343be-9b10-58a3-8d14-a1bae1eebc62"