Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender

 1name: "Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender"
 2description: "This rule detects messages containing links to lookerstudio with a non standard lookerstudio template from a new and unsolicited sender."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 1000
 8  and regex.icontains(body.current_thread.text,
 9                      '(shared.{0,30}with you|View Document)'
10  )
11  and any(body.links, .href_url.domain.domain == "lookerstudio.google.com")
12  and (
13    profile.by_sender().prevalence in ("new", "outlier")
14    and not profile.by_sender().solicited
15  )
16  
17  // negate highly trusted sender domains unless they fail DMARC authentication
18  and (
19    (
20      sender.email.domain.root_domain in $high_trust_sender_root_domains
21      and not headers.auth_summary.dmarc.pass
22    )
23    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
24  )  
25attack_types:
26  - "Credential Phishing"
27tactics_and_techniques:
28  - "Evasion"
29  - "Social engineering"
30detection_methods:
31  - "Content analysis"
32  - "Sender analysis"
33  - "URL analysis"
34id: "dbb50cb4-171f-532b-b820-906be09d03d6"