Link: Multistage Landing - Published Google Doc
A Google Docs document contains suspicious text and links that redirect to either newly registered domains, free subdomain hosts, URL shorteners, or domains with suspicious TLDs.
Sublime rule (View on GitHub)
1name: "Link: Multistage Landing - Published Google Doc"
2description: "A Google Docs document contains suspicious text and links that redirect to either newly registered domains, free subdomain hosts, URL shorteners, or domains with suspicious TLDs."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and not sender.email.domain.domain == "google.com"
8 and length(distinct(filter(body.links,
9 .href_url.domain.domain == "docs.google.com"
10 ),
11 .href_url.url
12 )
13 ) < 3
14 and any(filter(body.links,
15 .href_url.domain.domain == "docs.google.com"
16 and (
17 any(ml.nlu_classifier(.display_text).entities,
18 .name == "request"
19 )
20 or any(ml.nlu_classifier(.display_text).intents,
21 .name == "cred_theft"
22 )
23 )
24 ),
25 strings.istarts_with(ml.link_analysis(., mode="aggressive").final_dom.display_text,
26 "Published using Google Docs"
27 )
28 // filter down to links in the document where the display text is suspicious
29 and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
30 any(ml.nlu_classifier(.display_text).entities,
31 .name == "request"
32 )
33 or any(ml.nlu_classifier(.display_text).intents,
34 .name == "cred_theft"
35 )
36 ),
37 (
38 // any of those links domains are new
39 network.whois(.href_url.domain).days_old < 30
40
41 // go to free subdomains hosts
42 or (
43 .href_url.domain.root_domain in $free_subdomain_hosts
44 // where there is a subdomain
45 and .href_url.domain.subdomain is not null
46 and .href_url.domain.subdomain != "www"
47 )
48 // go to url shortners
49 or .href_url.domain.root_domain in $url_shorteners
50 or .href_url.domain.domain in $url_shorteners
51
52 // go to suspicious TLDs
53 or .href_url.domain.tld in $suspicious_tlds
54
55 // check for a second stage website that contains a suspicious link
56 // in other words, this LA call is inspecting links in sites on the Google Doc page
57 // we have seen Google Docs -> Google Slides (which this call is inspecting) -> malicious site
58 or any(ml.link_analysis(.href_url).final_dom.links,
59 .href_url.domain.root_domain in $free_file_hosts
60 or .href_url.domain.domain in $free_file_hosts
61 or (
62 .href_url.domain.root_domain in $free_subdomain_hosts
63 // where there is a subdomain
64 and .href_url.domain.subdomain is not null
65 and .href_url.domain.subdomain != "www"
66 )
67 or .href_url.domain.root_domain in $url_shorteners
68 or .href_url.domain.domain in $url_shorteners
69
70 // go to suspicious TLDs
71 or .href_url.domain.tld in $suspicious_tlds
72 )
73 )
74 )
75 )
76 and not (
77 length(headers.reply_to) == 1
78 and all(headers.reply_to, .email.domain.domain in $org_domains)
79 )
80
81attack_types:
82 - "Credential Phishing"
83tactics_and_techniques:
84 - "Free file host"
85 - "Social engineering"
86detection_methods:
87 - "Natural Language Understanding"
88 - "URL analysis"
89 - "Whois"
90id: "031e1ff8-3d7d-5bbe-8e61-f5f3d19e9760"