1+ name : " Brand impersonation: Google Drive fake file share"
2+ description : |
3+ This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
4+ type : " rule"
5+ severity : " medium"
6+ source : |
7+ type.inbound
8+
9+ // Google Drive body content looks like this
10+ and (
11+ (
12+ (
13+ any([body.current_thread.text, body.plain.raw],
14+ strings.ilike(.,
15+ "*shared a file with you*",
16+ "*shared with you*",
17+ "*invited you to review*",
18+ "*received a document*",
19+ "*shared a document*",
20+ "*shared a spreadsheet*",
21+ "*shared this document*",
22+ "*shared an item*",
23+ "*received this email because you*",
24+ "*shared a*with you*"
25+ )
26+ )
27+ //
28+ // This rule makes use of a beta feature and is subject to change without notice
29+ // using the beta feature in custom rules is not suggested until it has been formally released
30+ //
31+ or strings.ilike(beta.ocr(file.message_screenshot()).text,
32+ "*shared a file with you*",
33+ "*shared with you*",
34+ "*invited you to review*",
35+ "*received a document*",
36+ "*shared a document*",
37+ "*shared a spreadsheet*",
38+ "*shared this document*",
39+ "*shared an item*",
40+ "*received this email because you*",
41+ "*shared a*with you*"
42+ )
43+ )
44+ and (
45+ strings.ilike(subject.subject,
46+ "*shared*",
47+ "*updated*",
48+ "*sign*",
49+ "*review*"
50+ )
51+ or any(recipients.to,
52+ strings.icontains(subject.subject, .email.domain.sld)
53+ )
54+ or strings.ilike(subject.subject, "*Docs*", "*Sheets*", "*Slides*")
55+ or any(body.links, strings.icontains(.display_text, "open document"))
56+ or strings.ilike(sender.display_name, "*Google Drive*")
57+ or subject.subject is null
58+ or subject.subject == ""
59+ )
60+ )
61+ or any([
62+ "Contigo", // Spanish
63+ "Avec vous", // French
64+ "Mit Ihnen", // German
65+ "Con te", // Italian
66+ "Com você", // Portuguese
67+ "Met u", // Dutch
68+ "С вами", // Russian
69+ "与你", // Chinese (Simplified)
70+ "與您", // Chinese (Traditional)
71+ "あなたと", // Japanese
72+ "당신과", // Korean
73+ "معك", // Arabic
74+ "آپ کے ساتھ", // Urdu
75+ "আপনার সাথে", // Bengali
76+ "आपके साथ", // Hindi
77+ "Sizinle", // Turkish // Azerbaijani
78+ "Med dig", // Swedish
79+ "Z tobą", // Polish
80+ "З вами", // Ukrainian
81+ "Önnel", // Hungarian
82+ "Μαζί σας", // Greek
83+ "איתך", // Hebrew
84+ "กับคุณ", // Thai
85+ "Với bạn", // Vietnamese
86+ "Dengan Anda", // Indonesian // Malay
87+ "Nawe", // Swahili
88+ "Cu dumneavoastră", // Romanian
89+ "S vámi", // Czech
90+ "Med deg", // Norwegian
91+ "S vami", // Slovak
92+ "Med dig", // Danish
93+ "Amb vostè", // Catalan
94+ "Teiega", // Estonian
95+ "S vama", // Serbian
96+ ],
97+ strings.icontains(subject.subject, .)
98+ )
99+ )
100+
101+ // contains logic that impersonates Google
102+ and (
103+ any(ml.logo_detect(file.message_screenshot()).brands,
104+ strings.starts_with(.name, "Google")
105+ )
106+ // Google Drive share box formatting
107+ or strings.icontains(body.html.raw,
108+ '<table style="width:100%; border:1px solid #dadce0; border-radius:6px; border-spacing:0; border-collapse:separate; table-layout:fixed" role="presentation">'
109+ )
110+ or any(attachments,
111+ .file_type in $file_types_images
112+ and (
113+ any(ml.logo_detect(.).brands, strings.starts_with(.name, "Google"))
114+ or strings.icontains(beta.ocr(.).text,
115+ strings.concat("You have received this email because ",
116+ sender.email.email,
117+ " shared a document with you"
118+ )
119+ )
120+ or strings.icontains(beta.ocr(.).text,
121+ strings.concat("You have received this email because ",
122+ sender.email.email,
123+ " received a file or folder"
124+ )
125+ )
126+ or any(recipients.to,
127+ strings.icontains(beta.ocr(..).text,
128+ strings.concat("You have received this email because ",
129+ .email.email,
130+ " shared a document with you"
131+ )
132+ )
133+ )
134+ or any(recipients.to,
135+ strings.icontains(beta.ocr(..).text,
136+ strings.concat("You have received this email because ",
137+ .email.email,
138+ " received a file or folder"
139+ )
140+ )
141+ )
142+ or strings.icontains(beta.ocr(.).text,
143+ strings.concat(sender.display_name,
144+ " (",
145+ sender.email.email,
146+ ") ",
147+ "shared"
148+ )
149+ )
150+ )
151+ )
152+ or strings.icontains(body.current_thread.text,
153+ strings.concat("You have received this email because ",
154+ sender.email.email,
155+ " shared a document with you"
156+ )
157+ )
158+ or strings.icontains(body.current_thread.text,
159+ strings.concat("You have received this email because ",
160+ sender.email.email,
161+ " received a file or folder"
162+ )
163+ )
164+ or any(recipients.to,
165+ strings.icontains(body.current_thread.text,
166+ strings.concat("You have received this email because ",
167+ .email.email,
168+ " shared a document with you"
169+ )
170+ )
171+ )
172+ or any(recipients.to,
173+ strings.icontains(body.current_thread.text,
174+ strings.concat("You have received this email because ",
175+ .email.email,
176+ " received a file or folder"
177+ )
178+ )
179+ )
180+ or strings.icontains(body.current_thread.text,
181+ strings.concat(sender.display_name,
182+ " (",
183+ sender.email.email,
184+ ") ",
185+ "shared"
186+ )
187+ )
188+ // Google address from footer
189+ or 2 of (
190+ strings.icontains(body.current_thread.text, 'Google LLC'),
191+ strings.icontains(body.current_thread.text, '1600 Amphitheatre Parkway'),
192+ strings.icontains(body.current_thread.text, 'Mountain View, CA 94043'),
193+ )
194+ )
195+ and not all(body.links, .href_url.domain.root_domain in ("google.com"))
196+ and sender.email.domain.root_domain not in $org_domains
197+ and sender.email.domain.root_domain not in ("google.com")
198+ and not (
199+ all(headers.references, strings.ends_with(., '@docs-share.google.com'))
200+ and headers.return_path.domain.domain == "doclist.bounces.google.com"
201+ )
202+
203+ // negate highly trusted sender domains unless they fail DMARC authentication
204+ and (
205+ (
206+ sender.email.domain.root_domain in $high_trust_sender_root_domains
207+ and not headers.auth_summary.dmarc.pass
208+ )
209+ or sender.email.domain.root_domain not in $high_trust_sender_root_domains
210+ )
211+ and (
212+ profile.by_sender().solicited == false
213+ or profile.by_sender_email().prevalence == "new"
214+ or (
215+ profile.by_sender().any_messages_malicious_or_spam
216+ and not profile.by_sender().any_messages_benign
217+ )
218+ )
219+ and not profile.by_sender().any_messages_benign
220+ attack_types :
221+ - " Credential Phishing"
222+ - " Malware/Ransomware"
223+ detection_methods :
224+ - " Content analysis"
225+ - " Header analysis"
226+ - " URL analysis"
227+ - " Computer Vision"
228+ tactics_and_techniques :
229+ - " Impersonation: Brand"
230+ - " Social engineering"
231+ id : " 7eaed966-1a90-5082-b0bd-9f89fb0fbca4"
232+ og_id : " b424a941-2623-50f5-a3be-e90130e538d2"
233+ testing_pr : 3494
234+ testing_sha : b3e97b4d375468dfad9f2d57ca44d82d92cc5126
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments