Link to auto-downloaded file with Google Drive branding

 1name: "Link to auto-downloaded file with Google Drive branding"
 2description: |
 3    A link in the body of the email downloads a file from a site that uses Google Drive branding as employed by threat actors, such as Qakbot.
 4type: "rule"
 5references:
 6  - "https://delivr.to/payloads?id=ef39f124-6766-491c-a46c-00f2b60aa7a7"
 7  - "https://twitter.com/pr0xylife/status/1598016053787123713"
 8severity: "high"
 9source: |
10  type.inbound
11  and length(body.links) < 10
12  and any(body.links,
13          // This isn't a Google Drive link
14          .href_url.domain.root_domain != "google.com"
15          and 
16
17          // There are files downloaded
18          length(beta.linkanalysis(.).files_downloaded) > 0
19          and 
20
21          // Google Drive branding
22          beta.linkanalysis(.).credphish.brand.name == "GoogleDrive"
23          and beta.linkanalysis(.).credphish.brand.confidence == "high"
24          and 
25
26          // Hi from Qakbot
27          any(file.explode(beta.linkanalysis(.).screenshot),
28              any(["the file is not displayed correctly", "use local downloaded file"],
29                  strings.icontains(..scan.ocr.raw, .)
30              )
31          )
32  )
33  // Unsolicited
34  and (
35    (
36      sender.email.domain.root_domain in $free_email_providers
37      and sender.email.email not in $recipient_emails
38    )
39    or (
40      sender.email.domain.root_domain not in $free_email_providers
41      and sender.email.domain.domain not in $recipient_domains
42    )
43  )  
44tags:
45  - "Malfam: QakBot"
46attack_types:
47  - "Malware/Ransomware"
48tactics_and_techniques:
49  - "Impersonation: Brand"
50  - "Social engineering"
51detection_methods:
52  - "Content analysis"
53  - "File analysis"
54  - "Optical Character Recognition"
55  - "URL analysis"
56  - "URL screenshot"
57id: "4b5343be-9b10-58a3-8d14-a1bae1eebc62"