Link to auto-downloaded file with Google Drive branding

 1name: "Link to auto-downloaded file with Google Drive branding"
 2description: |
 3    A link in the body of the email downloads a file from a site that uses Google Drive branding as employed by threat actors, such as Qakbot.
 4type: "rule"
 5references:
 6  - "https://delivr.to/payloads?id=ef39f124-6766-491c-a46c-00f2b60aa7a7"
 7  - "https://twitter.com/pr0xylife/status/1598016053787123713"
 8severity: "high"
 9source: |
10  type.inbound
11  and length(body.links) < 10
12  and any(body.links,
13          // This isn't a Google Drive link
14          .href_url.domain.root_domain != "google.com"
15          and 
16
17          // There are files downloaded
18          length(beta.linkanalysis(.).files_downloaded) > 0
19          and 
20
21          // Google Drive branding
22          beta.linkanalysis(.).credphish.brand.name == "GoogleDrive"
23          and beta.linkanalysis(.).credphish.brand.confidence == "high"
24          and 
25
26          // Hi from Qakbot
27          any(file.explode(beta.linkanalysis(.).screenshot),
28              any(["the file is not displayed correctly", "use local downloaded file"],
29                  strings.icontains(..scan.ocr.raw, .)
30              )
31          )
32  )
33  and (
34    not profile.by_sender().solicited
35    or (
36      profile.by_sender().any_messages_malicious_or_spam
37      and not profile.by_sender().any_false_positives
38    )
39  )  
40tags:
41  - "Malfam: QakBot"
42attack_types:
43  - "Malware/Ransomware"
44tactics_and_techniques:
45  - "Impersonation: Brand"
46  - "Social engineering"
47detection_methods:
48  - "Content analysis"
49  - "File analysis"
50  - "Optical Character Recognition"
51  - "URL analysis"
52  - "URL screenshot"
53id: "4b5343be-9b10-58a3-8d14-a1bae1eebc62"