Spam: Sexually Explicit Looker Studio Report

calendar Jan 16, 2025  ·
Share on: linkedin copy

Detects suspicious Looker Studio Reports which containing inappropriate content or suspicious patterns. The rule looks for reports from non-organizational domains that contain emojis or explicit keywords within the report.

Sublime rule (View on GitHub)

 1name: "Spam: Sexually Explicit Looker Studio Report"
 2description: "Detects suspicious Looker Studio Reports which containing inappropriate content or suspicious patterns. The rule looks for reports from non-organizational domains that contain emojis or explicit keywords within the report."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  // 
 8  //  Warning: This rule contains sexually explicit keywords
 9  // 
10  and sender.email.email == "looker-studio-noreply@google.com"
11  // the invite is not from an $org_domain user
12  and all(headers.reply_to,
13          .email.domain.domain not in $org_domains
14          and .email.email not in $recipient_emails
15          and .email.email not in $sender_emails
16  )
17  // the subject or the body contain sexually explicit keywords
18  and any([subject.subject, body.current_thread.text],
19          // this regex should be kept in sync between the Google Group and the Looker Studio rules
20          regex.icontains(.,
21                          '(?:sex|horny|cock|fuck|\bass\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce|adult\s*(?:\w+\s+){0,2}\s*community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner)'
22          )
23  )  
24attack_types:
25  - "Spam"
26tactics_and_techniques:
27  - "Social engineering"
28  - "Free email provider"
29detection_methods:
30  - "Content analysis"
31  - "Sender analysis"
32id: "f1e649cd-63c0-5df4-86c9-72adc4eef0f0"
to-top