Link: Multistage Landing - Abused Google Drive

The detection rule matches on message groups which make use of Google Drive as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a common website.

Sublime rule (View on GitHub)

 1name: "Link: Multistage Landing - Abused Google Drive"
 2description: "The detection rule matches on message groups which make use of Google Drive as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a common website."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  
 8  // reply-to email address as never been sent an email by the org
 9  and not any(headers.reply_to, .email.email in $recipient_emails)
10  
11  // message is from google actual
12  and sender.email.domain.domain == 'google.com'
13  and (
14    sender.email.local_part == "drive-shares-noreply"
15    or sender.email.local_part == "drive-shares-dm-noreply"
16  )
17  and headers.auth_summary.spf.pass
18  and strings.ends_with(headers.auth_summary.spf.details.designator,
19                        'doclist.bounces.google.com'
20  )
21  and headers.auth_summary.dmarc.pass
22  
23  // filter out all the links, keeping only the links of interest
24  and any(filter(body.links,
25                 // target the "Open" link
26                 (
27                   .href_url.domain.domain == "drive.google.com"
28                   and strings.icontains(.href_url.path, '/view')
29                   // this isn't controlled by the actor
30                   and .display_text == "Open"
31                 )
32          ),
33          // the Google Drive page has been taken down due to TOS violations
34          strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text, "You can't access this item because it is in violation of our Terms of Service")
35          
36          // if not taken down
37          // filter down the links on the google drive page to those that are external to google
38          or any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
39                     .href_url.domain.root_domain != 'google.com'
40                     // relative links (no domains)
41                     and .href_url.domain.domain is not null
42              ),
43              (
44                // any of those links domains are new
45                network.whois(.href_url.domain).days_old < 30
46                // go to free file hosts
47                or .href_url.domain.root_domain in $free_file_hosts
48                or .href_url.domain.domain in $free_file_hosts
49  
50                // go to free subdomains hosts
51                or (
52                  .href_url.domain.root_domain in $free_subdomain_hosts
53                  // where there is a subdomain
54                  and .href_url.domain.subdomain is not null
55                  and .href_url.domain.subdomain != "www"
56                )
57                // go to url shortners
58                or .href_url.domain.root_domain in $url_shorteners
59                or .href_url.domain.domain in $url_shorteners
60                or (
61                  // find any links that mention common "action" words
62                  regex.icontains(.display_text,
63                                  '(?:view|click|show|access|download|continue|goto|Validate|Va[il]idar|login|verify|account)'
64                  )
65                  and (
66                    // and when visiting those links, are phishing
67                    ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
68  
69                    // hit a captcha page
70                    or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
71  
72                    // or the page redirects to common website, observed when evasion happens
73                    or (
74                      length(ml.link_analysis(., mode="aggressive").redirect_history
75                      ) > 0
76                      and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
77                    )
78                  )
79                )
80              )
81          )
82  )  
83attack_types:
84  - "Credential Phishing"
85tactics_and_techniques:
86  - "Evasion"
87  - "Free email provider"
88  - "Free file host"
89detection_methods:
90  - "Content analysis"
91  - "Sender analysis"
92  - "URL analysis"
93  - "Whois"
94  - "HTML analysis"
95id: "c86288b4-98f3-5d71-850e-c001a628600a"
to-top