1+ name : " Brand impersonation: Google Drive fake file share"
2+ description : |
3+ This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
4+ type : " rule"
5+ severity : " medium"
6+ source : |
7+ type.inbound
8+
9+ // Google Drive body content looks like this
10+ and (
11+ (
12+ (
13+ any([body.current_thread.text, body.plain.raw],
14+ strings.ilike(.,
15+ "*shared a file with you*",
16+ "*shared with you*",
17+ "*invited you to review*",
18+ "*received a document*",
19+ "*shared a document*",
20+ "*shared a spreadsheet*",
21+ "*shared this document*",
22+ "*shared an item*",
23+ "*received this email because you*",
24+ "*shared a*with you*",
25+ "*automated *mail from google*drive*",
26+ "*added as an editor*",
27+ "*invited you to edit*"
28+ )
29+ )
30+ //
31+ // This rule makes use of a beta feature and is subject to change without notice
32+ // using the beta feature in custom rules is not suggested until it has been formally released
33+ //
34+ or strings.ilike(beta.ocr(file.message_screenshot()).text,
35+ "*shared a file with you*",
36+ "*shared with you*",
37+ "*invited you to review*",
38+ "*received a document*",
39+ "*shared a document*",
40+ "*shared a spreadsheet*",
41+ "*shared this document*",
42+ "*shared an item*",
43+ "*received this email because you*",
44+ "*shared a*with you*",
45+ "*automated *mail from google*drive*",
46+ "*added as an editor*",
47+ "*invited you to edit*"
48+ )
49+ // suspicious subjects
50+ or (
51+ (
52+ regex.icontains(subject.subject, 'shared \".*\" with you')
53+ and sender.email.domain.root_domain != "dropbox.com"
54+ )
55+ // with Google Drive terminology in body content
56+ and any([body.current_thread.text, body.plain.raw],
57+ strings.ilike(.,
58+ "*Google Drive*",
59+ "*Google Doc*",
60+ "*Google Sheet*",
61+ "*Google Slide*"
62+ )
63+ )
64+ )
65+ )
66+ and (
67+ strings.ilike(subject.subject,
68+ "*shared*",
69+ "*updated*",
70+ "*sign*",
71+ "*review*"
72+ )
73+ or any(recipients.to,
74+ strings.icontains(subject.subject, .email.domain.sld)
75+ )
76+ or strings.ilike(subject.subject, "*Docs*", "*Sheets*", "*Slides*")
77+ or any(body.links,
78+ strings.icontains(.display_text, "open document")
79+ or strings.iends_with(.display_text, ".pdf")
80+ or (
81+ .display_text =~ "Open"
82+ and network.whois(.href_url.domain).days_old < 365
83+ )
84+ )
85+ or strings.ilike(sender.display_name, "*Google Drive*")
86+ or subject.subject is null
87+ or subject.subject == ""
88+ or regex.icontains(body.current_thread.text, '^g.o.o.g.l.e')
89+ )
90+ )
91+ or any([
92+ "Contigo", // Spanish
93+ "Avec vous", // French
94+ "Mit Ihnen", // German
95+ "Con te", // Italian
96+ "Com você", // Portuguese
97+ "Met u", // Dutch
98+ "С вами", // Russian
99+ "与你", // Chinese (Simplified)
100+ "與您", // Chinese (Traditional)
101+ "あなたと", // Japanese
102+ "당신과", // Korean
103+ "معك", // Arabic
104+ "آپ کے ساتھ", // Urdu
105+ "আপনার সাথে", // Bengali
106+ "आपके साथ", // Hindi
107+ "Sizinle", // Turkish // Azerbaijani
108+ "Med dig", // Swedish
109+ "Z tobą", // Polish
110+ "З вами", // Ukrainian
111+ "Önnel", // Hungarian
112+ "Μαζί σας", // Greek
113+ "איתך", // Hebrew
114+ "กับคุณ", // Thai
115+ "Với bạn", // Vietnamese
116+ "Dengan Anda", // Indonesian // Malay
117+ "Nawe", // Swahili
118+ "Cu dumneavoastră", // Romanian
119+ "S vámi", // Czech
120+ "Med deg", // Norwegian
121+ "S vami", // Slovak
122+ "Med dig", // Danish
123+ "Amb vostè", // Catalan
124+ "Teiega", // Estonian
125+ "S vama", // Serbian
126+ ],
127+ strings.icontains(subject.subject, .)
128+ )
129+ )
130+
131+ // contains logic that impersonates Google
132+ and (
133+ any(ml.logo_detect(file.message_screenshot()).brands,
134+ strings.starts_with(.name, "Google")
135+ )
136+ // Google Drive share box formatting
137+ or strings.icontains(body.html.raw,
138+ '<table style="width:100%; border:1px solid #dadce0; border-radius:6px; border-spacing:0; border-collapse:separate; table-layout:fixed" role="presentation">'
139+ )
140+ or any(attachments,
141+ .file_type in $file_types_images
142+ and (
143+ any(ml.logo_detect(.).brands, strings.starts_with(.name, "Google"))
144+ or strings.icontains(beta.ocr(.).text,
145+ strings.concat("You have received this email because ",
146+ sender.email.email,
147+ " shared a document with you"
148+ )
149+ )
150+ or strings.icontains(beta.ocr(.).text,
151+ strings.concat("You have received this email because ",
152+ sender.email.email,
153+ " received a file or folder"
154+ )
155+ )
156+ or any(recipients.to,
157+ strings.icontains(beta.ocr(..).text,
158+ strings.concat("You have received this email because ",
159+ .email.email,
160+ " shared a document with you"
161+ )
162+ )
163+ )
164+ or any(recipients.to,
165+ strings.icontains(beta.ocr(..).text,
166+ strings.concat("You have received this email because ",
167+ .email.email,
168+ " received a file or folder"
169+ )
170+ )
171+ )
172+ or strings.icontains(beta.ocr(.).text,
173+ strings.concat(sender.display_name,
174+ " (",
175+ sender.email.email,
176+ ") ",
177+ "shared"
178+ )
179+ )
180+ )
181+ )
182+ or strings.icontains(body.current_thread.text,
183+ strings.concat("You have received this email because ",
184+ sender.email.email,
185+ " shared a document with you"
186+ )
187+ )
188+ or strings.icontains(body.current_thread.text,
189+ strings.concat("You have received this email because ",
190+ sender.email.email,
191+ " received a file or folder"
192+ )
193+ )
194+ or any(recipients.to,
195+ strings.icontains(body.current_thread.text,
196+ strings.concat("You have received this email because ",
197+ .email.email,
198+ " shared a document with you"
199+ )
200+ )
201+ )
202+ or any(recipients.to,
203+ strings.icontains(body.current_thread.text,
204+ strings.concat("You have received this email because ",
205+ .email.email,
206+ " received a file or folder"
207+ )
208+ )
209+ )
210+ or strings.icontains(body.current_thread.text,
211+ strings.concat(sender.display_name,
212+ " (",
213+ sender.email.email,
214+ ") ",
215+ "shared"
216+ )
217+ )
218+ // Google address from footer
219+ or 2 of (
220+ strings.icontains(body.current_thread.text, 'Google LLC'),
221+ strings.icontains(body.current_thread.text, '1600 Amphitheatre Parkway'),
222+ strings.icontains(body.current_thread.text, 'Mountain View, CA 94043'),
223+ )
224+ )
225+ and not (
226+ // Google Sites has been observed abused
227+ all(body.links,
228+ .href_url.domain.root_domain in ("google.com")
229+ // allow for matches against sites.google.com, which has been observed being abused
230+ and .href_url.domain.domain != "sites.google.com"
231+ )
232+ )
233+ and sender.email.domain.root_domain not in $org_domains
234+ and sender.email.domain.root_domain not in ("google.com")
235+ and not (
236+ all(headers.references, strings.ends_with(., '@docs-share.google.com'))
237+ and headers.return_path.domain.domain == "doclist.bounces.google.com"
238+ )
239+ // negate first threads that are a legitimate Google Drive share
240+ and not (
241+ length(body.previous_threads) != 0
242+ and length(body.previous_threads[length(body.previous_threads) - 1].links) != 0
243+ and all(body.previous_threads[length(body.previous_threads) - 1].links,
244+ .href_url.domain.root_domain == "google.com"
245+ )
246+ )
247+
248+ // negate highly trusted sender domains unless they fail DMARC authentication
249+ and (
250+ (
251+ sender.email.domain.root_domain in $high_trust_sender_root_domains
252+ and not headers.auth_summary.dmarc.pass
253+ )
254+ or sender.email.domain.root_domain not in $high_trust_sender_root_domains
255+ )
256+ and (
257+ profile.by_sender().solicited == false
258+ or profile.by_sender_email().prevalence == "new"
259+ or (
260+ profile.by_sender().any_messages_malicious_or_spam
261+ and not profile.by_sender().any_messages_benign
262+ )
263+ )
264+ and not profile.by_sender().any_messages_benign
265+ attack_types :
266+ - " Credential Phishing"
267+ - " Malware/Ransomware"
268+ detection_methods :
269+ - " Content analysis"
270+ - " Header analysis"
271+ - " URL analysis"
272+ - " Computer Vision"
273+ tactics_and_techniques :
274+ - " Impersonation: Brand"
275+ - " Social engineering"
276+ id : " dcb34fd1-3db0-5a64-ba43-02a4aae8eb45"
277+ og_id : " b424a941-2623-50f5-a3be-e90130e538d2"
278+ testing_pr : 4699
279+ testing_sha : d6d5d4fd1b16709fc3fb8f6907034e5586d8a7b5
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments