Link: Multistage Landing - Abused Google Drive

The detection rule matches on message groups which make use of Google Drive as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a common website.

Sublime rule (View on GitHub)

  1name: "Link: Multistage Landing - Abused Google Drive"
  2description: "The detection rule matches on message groups which make use of Google Drive as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a common website."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  
  8  // reply-to email address as never been sent an email by the org
  9  and not any(headers.reply_to, .email.email in $recipient_emails)
 10  
 11  // message is from google actual
 12  and sender.email.domain.domain == 'google.com'
 13  and (
 14    sender.email.local_part == "drive-shares-noreply"
 15    or sender.email.local_part == "drive-shares-dm-noreply"
 16  )
 17  and headers.auth_summary.spf.pass
 18  and strings.ends_with(headers.auth_summary.spf.details.designator,
 19                        'doclist.bounces.google.com'
 20  )
 21  and headers.auth_summary.dmarc.pass
 22  
 23  // not where the sender display name is within org_display_names
 24  and not any($org_display_names,
 25      strings.istarts_with(sender.display_name, strings.concat(., " (via Google "))
 26      or strings.istarts_with(sender.display_name, strings.concat(., " (Google "))
 27  )
 28  
 29  // threat actors dont want others to edit the share
 30  and not strings.icontains(body.current_thread.text, 'invited you to edit')
 31  
 32  and (
 33    // check the shared filed name for suspicious indicators
 34    // alerting keywords
 35    regex.icontains(strings.replace_confusables(subject.subject),
 36                    ': \".*(?:Immediate|Urgent|Critical|Alert|Warning|Urgent|Important|Critical Alert|Security Notice)[!:\-]?[^\"]*\"'
 37    )
 38    // account issues
 39    or regex.icontains(strings.replace_confusables(subject.subject),
 40                       ': \".*(?:Online|Bank(?:ing)?|User|Account|Access|[[:punct:]\s]?(?:ID)|Transactions)\b.*\b(?:Security|Recover|Blocked|Suspen(?:ded|sion)|Restricted|Locked|Disabled|Frozen|Closed)[^\"]*\"'
 41    )
 42    // keywords themed as Suspicious
 43    or regex.icontains(strings.replace_confusables(subject.subject),
 44                       ': \".*(Suspicious|Unauthorized|Unrecognized|Fraudulent|Scam)\b.*\b(Activity|Transaction|Log[- ]?In|Access|Entry|Sign[- ]?In|Detected)[^\"]*\"'
 45    )
 46    // account/identify verification keywords
 47    or regex.icontains(strings.replace_confusables(subject.subject),
 48                       ': \".*(?:(?:Verify|Confirm|Update|Review|Complete)\b.*\b(Your (Identity|Account|Online[- ]?ID|Billing Information))|(?:(?:Action|Attention|Verification|Review)[[:punct:]\s](?:Needed|Required)))[^\"]*\"'
 49    )
 50    
 51    or
 52    ( // filenames that in References/ID keywords
 53      regex.icontains(strings.replace_confusables(subject.subject),
 54                      ': \".*[[:punct:]\s]+\w+[[:punct:]\s]*[a-zA-Z]*[0-9][a-zA-Z0-9]*\"$'
 55      )
 56      // the above regex is a bit "open", so close it by checking it with a more specific "ending" pattern.
 57      and regex.icontains(strings.replace_confusables(subject.subject), '[[:punct:]]\s*[a-z0-9]{5,}\"$')
 58    )
 59  
 60    // finally get ready to do link analysis
 61    // filter out all the links, keeping only the links of interest
 62    or any(filter(body.links,
 63                  // target the "Open" link
 64                  (
 65                    .href_url.domain.domain == "drive.google.com"
 66                    and strings.icontains(.href_url.path, '/view')
 67                    // this isn't controlled by the actor
 68                    and .display_text == "Open"
 69                  )
 70           ),
 71           // the Google Drive page has been taken down due to TOS violations
 72           strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
 73                             "You can't access this item because it is in violation of our Terms of Service"
 74           )
 75  
 76           // if not taken down
 77           // filter down the links on the google drive page to those that are external to google
 78           or any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
 79                         .href_url.domain.root_domain != 'google.com'
 80                         // relative links (no domains)
 81                         and .href_url.domain.domain is not null
 82                  ),
 83                  (
 84                    // any of those links domains are new
 85                    network.whois(.href_url.domain).days_old < 30
 86                    // go to free file hosts
 87                    or .href_url.domain.root_domain in $free_file_hosts
 88                    or .href_url.domain.domain in $free_file_hosts
 89  
 90                    // go to free subdomains hosts
 91                    or (
 92                      .href_url.domain.root_domain in $free_subdomain_hosts
 93                      // where there is a subdomain
 94                      and .href_url.domain.subdomain is not null
 95                      and .href_url.domain.subdomain != "www"
 96                    )
 97                    // go to url shortners
 98                    or .href_url.domain.root_domain in $url_shorteners
 99                    or .href_url.domain.domain in $url_shorteners
100                    or (
101                      // find any links that mention common "action" words
102                      regex.icontains(.display_text,
103                                      '(?:view|click|show|access|download|continue|goto|Validate|Va[il]idar|login|verify|account)'
104                      )
105                      and (
106                        // and when visiting those links, are phishing
107                        ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
108  
109                        // hit a captcha page
110                        or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
111  
112                        // or the page redirects to common website, observed when evasion happens
113                        or (
114                          length(ml.link_analysis(., mode="aggressive").redirect_history
115                          ) > 0
116                          and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
117                        )
118                      )
119                    )
120                  )
121           )
122    )
123  )  
124attack_types:
125  - "Credential Phishing"
126tactics_and_techniques:
127  - "Evasion"
128  - "Free email provider"
129  - "Free file host"
130detection_methods:
131  - "Content analysis"
132  - "Sender analysis"
133  - "URL analysis"
134  - "Whois"
135  - "HTML analysis"
136id: "c86288b4-98f3-5d71-850e-c001a628600a"
to-top