Link: Multistage landing - Published Google Doc

A Google Docs document contains suspicious text and links that redirect to either newly registered domains, free subdomain hosts, URL shorteners, or domains with suspicious TLDs.

Sublime rule (View on GitHub)

 1name: "Link: Multistage landing - Published Google Doc"
 2description: "A Google Docs document contains suspicious text and links that redirect to either newly registered domains, free subdomain hosts, URL shorteners, or domains with suspicious TLDs."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and not sender.email.domain.domain == "google.com"
 8  and length(distinct(filter(body.links,
 9                             .href_url.domain.domain == "docs.google.com"
10                      ),
11                      .href_url.url
12             )
13  ) < 3
14  and any(filter(body.links,
15                 .href_url.domain.domain == "docs.google.com"
16                 and (
17                   any(ml.nlu_classifier(.display_text).entities,
18                       .name == "request"
19                   )
20                   or any(ml.nlu_classifier(.display_text).intents,
21                          .name == "cred_theft"
22                   )
23                 )
24          ),
25          strings.istarts_with(ml.link_analysis(., mode="aggressive").final_dom.display_text,
26                               "Published using Google Docs"
27          )
28          // filter down to links in the document where the display text is suspicious
29          and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
30                         any(ml.nlu_classifier(.display_text).entities,
31                             .name == "request"
32                         )
33                         or any(ml.nlu_classifier(.display_text).intents,
34                                .name == "cred_theft"
35                         )
36                  ),
37                  (
38                    // any of those links domains are new
39                    network.whois(.href_url.domain).days_old < 30
40  
41                    // go to free subdomains hosts
42                    or (
43                      .href_url.domain.root_domain in $free_subdomain_hosts
44                      // where there is a subdomain
45                      and .href_url.domain.subdomain is not null
46                      and .href_url.domain.subdomain != "www"
47                    )
48                    // go to url shortners
49                    or .href_url.domain.root_domain in $url_shorteners
50                    or .href_url.domain.root_domain in $social_landing_hosts
51                    or .href_url.domain.domain in $url_shorteners
52                    or .href_url.domain.domain in $social_landing_hosts
53  
54                    // go to suspicious TLDs
55                    or .href_url.domain.tld in $suspicious_tlds
56  
57                    // check for a second stage website that contains a suspicious link
58                    // in other words, this LA call is inspecting links in sites on the Google Doc page
59                    // we have seen Google Docs -> Google Slides (which this call is inspecting) -> malicious site
60                    or any(ml.link_analysis(.href_url).final_dom.links,
61                           .href_url.domain.root_domain in $free_file_hosts
62                           or .href_url.domain.domain in $free_file_hosts
63                           or (
64                             .href_url.domain.root_domain in $free_subdomain_hosts
65                             // where there is a subdomain
66                             and .href_url.domain.subdomain is not null
67                             and .href_url.domain.subdomain != "www"
68                           )
69                           or .href_url.domain.root_domain in $url_shorteners
70                           or .href_url.domain.root_domain in $social_landing_hosts
71                           or .href_url.domain.domain in $url_shorteners
72                           or .href_url.domain.domain in $social_landing_hosts
73  
74                           // go to suspicious TLDs
75                           or .href_url.domain.tld in $suspicious_tlds
76                    )
77                  )
78          )
79  )
80  and not (
81    length(headers.reply_to) == 1
82    and all(headers.reply_to, .email.domain.domain in $org_domains)
83  )  
84
85attack_types:
86  - "Credential Phishing"
87tactics_and_techniques:
88  - "Free file host"
89  - "Social engineering"
90detection_methods:
91  - "Natural Language Understanding"
92  - "URL analysis"
93  - "Whois"
94id: "031e1ff8-3d7d-5bbe-8e61-f5f3d19e9760"
to-top