Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender

 1name: "Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender"
 2description: "This rule detects messages containing links to lookerstudio with a non standard lookerstudio template from a new and unsolicited sender."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 800
 8  and regex.icontains(body.current_thread.text,
 9                      '(shared.{0,30}with you|View Document)'
10  )
11  and any(body.links, .href_url.domain.domain == "lookerstudio.google.com")
12  
13  and (
14    profile.by_sender().prevalence in ("new", "outlier")
15    and not profile.by_sender().solicited
16  )
17  
18  // negate highly trusted sender domains unless they fail DMARC authentication
19  and (
20    (
21      sender.email.domain.root_domain in $high_trust_sender_root_domains
22      and not headers.auth_summary.dmarc.pass
23    )
24    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
25  )  
26attack_types:
27  - "Credential Phishing"
28tactics_and_techniques:
29  - "Evasion"
30  - "Social engineering"
31detection_methods:
32  - "Content analysis"
33  - "Sender analysis"
34  - "URL analysis"
35id: "dbb50cb4-171f-532b-b820-906be09d03d6"