Link: Multistage Landing - Abused Google Drive
The detection rule matches on message groups which make use of Google Drive as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a common website.
Sublime rule (View on GitHub)
1name: "Link: Multistage Landing - Abused Google Drive"
2description: "The detection rule matches on message groups which make use of Google Drive as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a common website."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7
8 // reply-to email address as never been sent an email by the org
9 and not any(headers.reply_to, .email.email in $recipient_emails)
10
11 // message is from google actual
12 and sender.email.domain.domain == 'google.com'
13 and (
14 sender.email.local_part == "drive-shares-noreply"
15 or sender.email.local_part == "drive-shares-dm-noreply"
16 )
17 and headers.auth_summary.spf.pass
18 and strings.ends_with(headers.auth_summary.spf.details.designator,
19 'doclist.bounces.google.com'
20 )
21 and headers.auth_summary.dmarc.pass
22
23 // not where the sender display name is within org_display_names
24 and not any($org_display_names,
25 strings.istarts_with(sender.display_name, strings.concat(., " (via Google "))
26 or strings.istarts_with(sender.display_name, strings.concat(., " (Google "))
27 )
28
29 // threat actors dont want others to edit the share
30 and not strings.icontains(body.current_thread.text, 'invited you to edit')
31
32 and (
33 // check the shared filed name for suspicious indicators
34 // alerting keywords
35 regex.icontains(subject.subject,
36 ': \".*(?:Immediate|Urgent|Critical|Alert|Warning|Urgent|Important|Critical Alert|Security Notice)[!:\-]?[^\"]*\"'
37 )
38 // account issues
39 or regex.icontains(subject.subject,
40 ': \".*(?:Online|Bank(?:ing)?|User|Account|Access|[[:punct:]\s]?(?:ID)|Transactions)\b.*\b(?:Security|Recover|Blocked|Suspen(?:ded|sion)|Restricted|Locked|Disabled|Frozen|Closed)[^\"]*\"'
41 )
42 // keywords themed as Suspicious
43 or regex.icontains(subject.subject,
44 ': \".*(Suspicious|Unauthorized|Unrecognized|Fraudulent|Scam)\b.*\b(Activity|Transaction|Log[- ]?In|Access|Entry|Sign[- ]?In|Detected)[^\"]*\"'
45 )
46 // account/identify verification keywords
47 or regex.icontains(subject.subject,
48 ': \".*(?:(?:Verify|Confirm|Update|Review|Complete)\b.*\b(Your (Identity|Account|Online[- ]?ID|Billing Information))|(?:(?:Action|Attention|Verification|Review)[[:punct:]\s](?:Needed|Required)))[^\"]*\"'
49 )
50
51 or
52 ( // filenames that in References/ID keywords
53 regex.icontains(subject.subject,
54 ': \".*[[:punct:]\s]+\w+[[:punct:]\s]*[a-zA-Z]*[0-9][a-zA-Z0-9]*\"$'
55 )
56 // the above regex is a bit "open", so close it by checking it with a more specific "ending" pattern.
57 and regex.icontains(subject.subject, '[[:punct:]]\s*[a-z0-9]{5,}\"$')
58 )
59
60 // finally get ready to do link analysis
61 // filter out all the links, keeping only the links of interest
62 or any(filter(body.links,
63 // target the "Open" link
64 (
65 .href_url.domain.domain == "drive.google.com"
66 and strings.icontains(.href_url.path, '/view')
67 // this isn't controlled by the actor
68 and .display_text == "Open"
69 )
70 ),
71 // the Google Drive page has been taken down due to TOS violations
72 strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
73 "You can't access this item because it is in violation of our Terms of Service"
74 )
75
76 // if not taken down
77 // filter down the links on the google drive page to those that are external to google
78 or any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
79 .href_url.domain.root_domain != 'google.com'
80 // relative links (no domains)
81 and .href_url.domain.domain is not null
82 ),
83 (
84 // any of those links domains are new
85 network.whois(.href_url.domain).days_old < 30
86 // go to free file hosts
87 or .href_url.domain.root_domain in $free_file_hosts
88 or .href_url.domain.domain in $free_file_hosts
89
90 // go to free subdomains hosts
91 or (
92 .href_url.domain.root_domain in $free_subdomain_hosts
93 // where there is a subdomain
94 and .href_url.domain.subdomain is not null
95 and .href_url.domain.subdomain != "www"
96 )
97 // go to url shortners
98 or .href_url.domain.root_domain in $url_shorteners
99 or .href_url.domain.domain in $url_shorteners
100 or (
101 // find any links that mention common "action" words
102 regex.icontains(.display_text,
103 '(?:view|click|show|access|download|continue|goto|Validate|Va[il]idar|login|verify|account)'
104 )
105 and (
106 // and when visiting those links, are phishing
107 ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
108
109 // hit a captcha page
110 or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
111
112 // or the page redirects to common website, observed when evasion happens
113 or (
114 length(ml.link_analysis(., mode="aggressive").redirect_history
115 ) > 0
116 and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
117 )
118 )
119 )
120 )
121 )
122 )
123 )
124attack_types:
125 - "Credential Phishing"
126tactics_and_techniques:
127 - "Evasion"
128 - "Free email provider"
129 - "Free file host"
130detection_methods:
131 - "Content analysis"
132 - "Sender analysis"
133 - "URL analysis"
134 - "Whois"
135 - "HTML analysis"
136id: "c86288b4-98f3-5d71-850e-c001a628600a"