Link: Multistage Landing - Abused Google Drive
The detection rule matches on message groups which make use of Google Drive as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a common website.
Sublime rule (View on GitHub)
1name: "Link: Multistage Landing - Abused Google Drive"
2description: "The detection rule matches on message groups which make use of Google Drive as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a common website."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7
8 // reply-to email address as never been sent an email by the org
9 and not any(headers.reply_to, .email.email in $recipient_emails)
10
11 // message is from google actual
12 and sender.email.domain.domain == 'google.com'
13 and (
14 sender.email.local_part == "drive-shares-noreply"
15 or sender.email.local_part == "drive-shares-dm-noreply"
16 )
17 and headers.auth_summary.spf.pass
18 and strings.ends_with(headers.auth_summary.spf.details.designator,
19 'doclist.bounces.google.com'
20 )
21 and headers.auth_summary.dmarc.pass
22
23 // filter out all the links, keeping only the links of interest
24 and any(filter(body.links,
25 // target the "Open" link
26 (
27 .href_url.domain.domain == "drive.google.com"
28 and strings.icontains(.href_url.path, '/view')
29 // this isn't controlled by the actor
30 and .display_text == "Open"
31 )
32 ),
33 // the Google Drive page has been taken down due to TOS violations
34 strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text, "You can't access this item because it is in violation of our Terms of Service")
35
36 // if not taken down
37 // filter down the links on the google drive page to those that are external to google
38 or any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
39 .href_url.domain.root_domain != 'google.com'
40 // relative links (no domains)
41 and .href_url.domain.domain is not null
42 ),
43 (
44 // any of those links domains are new
45 network.whois(.href_url.domain).days_old < 30
46 // go to free file hosts
47 or .href_url.domain.root_domain in $free_file_hosts
48 or .href_url.domain.domain in $free_file_hosts
49
50 // go to free subdomains hosts
51 or (
52 .href_url.domain.root_domain in $free_subdomain_hosts
53 // where there is a subdomain
54 and .href_url.domain.subdomain is not null
55 and .href_url.domain.subdomain != "www"
56 )
57 // go to url shortners
58 or .href_url.domain.root_domain in $url_shorteners
59 or .href_url.domain.domain in $url_shorteners
60 or (
61 // find any links that mention common "action" words
62 regex.icontains(.display_text,
63 '(?:view|click|show|access|download|continue|goto|Validate|Va[il]idar|login|verify|account)'
64 )
65 and (
66 // and when visiting those links, are phishing
67 ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
68
69 // hit a captcha page
70 or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
71
72 // or the page redirects to common website, observed when evasion happens
73 or (
74 length(ml.link_analysis(., mode="aggressive").redirect_history
75 ) > 0
76 and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
77 )
78 )
79 )
80 )
81 )
82 )
83attack_types:
84 - "Credential Phishing"
85tactics_and_techniques:
86 - "Evasion"
87 - "Free email provider"
88 - "Free file host"
89detection_methods:
90 - "Content analysis"
91 - "Sender analysis"
92 - "URL analysis"
93 - "Whois"
94 - "HTML analysis"
95id: "c86288b4-98f3-5d71-850e-c001a628600a"