Spam: Sexually Explicit Google Group Invitation
Detects suspicious Google Groups invitations containing inappropriate content or suspicious patterns. The rule looks for invites from non-organizational domains that contain random alphanumeric strings, explicit keywords, or suspicious call-to-action phrases in the group names or descriptions.
Sublime rule (View on GitHub)
1name: "Spam: Sexually Explicit Google Group Invitation"
2description: "Detects suspicious Google Groups invitations containing inappropriate content or suspicious patterns. The rule looks for invites from non-organizational domains that contain random alphanumeric strings, explicit keywords, or suspicious call-to-action phrases in the group names or descriptions."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 //
8 // Warning: This rule contains sexually explicit keywords
9 //
10 and sender.email.email == "noreply@groups.google.com"
11 and (
12 strings.istarts_with(subject.subject, 'Invitation to join ')
13 or strings.istarts_with(subject.subject, 'You have been added to ')
14 // the group name contains sexually explicit keywords
15 // this regex should be kept in sync between the Google Group and the Looker Studio rules
16 or regex.icontains(subject.subject,
17 '(?:Invitation to join|You have been added to) .*(?:sex|horny|cock|fuck|\bass\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce|adult community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner)'
18 )
19 )
20 // the invite is not from an $org_domain user
21 and not any($org_domains,
22 strings.icontains(body.current_thread.text,
23 strings.concat('@',
24 .,
25 ' invited you to join the '
26 )
27 )
28 or strings.icontains(body.current_thread.text,
29 strings.concat('@', ., ' added you to the ')
30 )
31 )
32 and (
33 // the group name contains 7 char sets at the start and end and must contain a number
34 regex.icontains(subject.subject,
35 '(?:added to|to join) [A-Z0-9]{5,7} .*(?:[[:^ascii:]]|[[:^alpha:]]) [A-Z0-9]{5,7}$'
36 )
37 // calls to action in the group name
38 or regex.icontains(subject.subject,
39 '(?:added to|to join) .*(join|(?:click|go|tap) here)'
40 )
41 // it contains an emoji in the group name
42 or regex.icontains(subject.subject,
43 '(?:added to|to join) .*[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
44 )
45 // the description of the group contains sexually explicit keywords
46 // this regex should be kept in sync between the Google Group and the Looker Studio rules
47 or regex.icontains(body.current_thread.text,
48 '(?:about this group|message from).*(?:sex|horny|cock|fuck|\bass\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce|adult community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner).*https?://'
49 )
50 // the invitor is an email domain which contains 3 labels
51 or (
52 regex.icontains(body.current_thread.text,
53 '\n[^\@]+@(?:[a-zA-Z0-9-]{1,255}\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the)'
54 )
55 // where the group name contains "lists."
56 and not regex.icontains(body.current_thread.text,
57 '\n[^\@]+@(?:[a-zA-Z0-9-]{1,255}\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the) [^\@]+\@lists\.'
58 )
59 )
60 )
61attack_types:
62 - "Spam"
63tactics_and_techniques:
64 - "Free email provider"
65 - "Social engineering"
66detection_methods:
67 - "Content analysis"
68 - "Sender analysis"
69id: "4e0bec29-be9c-526f-ad56-824b4d87f55d"