Service abuse: Google application integration redirecting to suspicious hosts
Detects legitimate Google application integration emails that contain links redirecting to free file hosting services or free subdomain hosts, including Microsoft OAuth redirects to suspicious domains. These could indicate abuse of Google's legitimate service for malicious redirects.
Sublime rule (View on GitHub)
1name: "Service abuse: Google application integration redirecting to suspicious hosts"
2description: "Detects legitimate Google application integration emails that contain links redirecting to free file hosting services or free subdomain hosts, including Microsoft OAuth redirects to suspicious domains. These could indicate abuse of Google's legitimate service for malicious redirects."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and sender.email.email == "noreply-application-integration@google.com"
8 and headers.auth_summary.dmarc.pass
9 and length(body.links) < 10
10 and any(body.links,
11 .href_url.domain.domain in $free_file_hosts
12 or .href_url.domain.root_domain in $free_file_hosts
13 or .href_url.domain.domain in $free_subdomain_hosts
14 // Mimecast link logic
15 or (
16 .href_url.domain.root_domain in (
17 "mimecastprotect.com",
18 "mimecast.com"
19 )
20 and any(.href_url.query_params_decoded['domain'],
21 strings.parse_domain(.).domain in $free_file_hosts
22 or strings.parse_domain(.).root_domain in $free_file_hosts
23 or strings.parse_domain(.).root_domain in $free_subdomain_hosts
24 or . in (
25 "storage.cloud.google.com",
26 "login.microsoftonline.com"
27 )
28 )
29 )
30 or network.whois(.href_url.domain).days_old < 30
31 // abuse observed
32 or .href_url.domain.root_domain == "share.google"
33 )
34attack_types:
35 - "Credential Phishing"
36 - "Malware/Ransomware"
37tactics_and_techniques:
38 - "Evasion"
39 - "Free file host"
40 - "Free subdomain host"
41 - "Open redirect"
42detection_methods:
43 - "Header analysis"
44 - "Sender analysis"
45 - "URL analysis"
46id: "473d3247-8f99-5130-b091-ed95a6fff5ba"