type.inbound

// Google Drive body content looks like this
and (
  (
    (
      any([body.current_thread.text, body.plain.raw],
          strings.ilike(.,
                        "*shared a file with you*",
                        "*shared with you*",
                        "*invited you to review*",
                        "*received a document*",
                        "*shared a document*",
                        "*shared this document*",
                        "*shared an item*",
                        "*received this email because you*"
          )
      )
      or any(file.explode(beta.message_screenshot()),
             strings.ilike(.scan.ocr.raw,
                           "*shared a file with you*",
                           "*shared with you*",
                           "*invited you to review*",
                           "*received a document*",
                           "*shared a document*",
                           "*shared this document*",
                           "*shared an item*",
                           "*received this email because you*"
             )
      )
    )
    and (
      strings.ilike(subject.subject,
                    "*shared*",
                    "*updated*",
                    "*sign*",
                    "*review*"
      )
      or any(recipients.to, strings.icontains(subject.subject, .email.domain.sld))
      or strings.ilike(subject.subject, "*Docs*", "*Sheets*", "*Slides*")
      or any(body.links, strings.icontains(.display_text, "open document"))
      or strings.ilike(sender.display_name, "*Google Drive*")
      or subject.subject is null
      or subject.subject == ""
    )
  )
  or any([
           "Contigo", // Spanish
           "Avec vous", // French
           "Mit Ihnen", // German
           "Con te", // Italian
           "Com você", // Portuguese
           "Met u", // Dutch
           "С вами", // Russian
           "与你", // Chinese (Simplified)
           "與您", // Chinese (Traditional)
           "あなたと", // Japanese
           "당신과", // Korean
           "معك", // Arabic
           "آپ کے ساتھ", // Urdu
           "আপনার সাথে", // Bengali
           "आपके साथ", // Hindi
           "Sizinle", // Turkish // Azerbaijani
           "Med dig", // Swedish
           "Z tobą", // Polish
           "З вами", // Ukrainian
           "Önnel", // Hungarian
           "Μαζί σας", // Greek
           "איתך", // Hebrew
           "กับคุณ", // Thai
           "Với bạn", // Vietnamese
           "Dengan Anda", // Indonesian // Malay
           "Nawe", // Swahili
           "Cu dumneavoastră", // Romanian
           "S vámi", // Czech
           "Med deg", // Norwegian
           "S vami", // Slovak
           "Med dig", // Danish
           "Amb vostè", // Catalan
           "Teiega", // Estonian
           "S vama", // Serbian
         ],
         strings.icontains(subject.subject, .)
  )
)

// contains logic that impersonates Google
and (
  any(ml.logo_detect(beta.message_screenshot()).brands,
      strings.starts_with(.name, "Google")
  )
  or any(attachments,
         .file_type in $file_types_images
         and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Google"))
  )
  or strings.icontains(body.current_thread.text,
                       strings.concat("You have received this email because ",
                                      sender.email.email,
                                      " shared a document with you"
                       )
  )
  or strings.icontains(body.current_thread.text,
                       strings.concat("You have received this email because ",
                                      sender.email.email,
                                      " received a file or folder"
                       )
  )
  or any(recipients.to,
         strings.icontains(body.current_thread.text,
                           strings.concat("You have received this email because ",
                                          .email.email,
                                          " shared a document with you"
                           )
         )
  )
  or any(recipients.to,
         strings.icontains(body.current_thread.text,
                           strings.concat("You have received this email because ",
                                          .email.email,
                                          " received a file or folder"
                           )
         )
  )
  // Google address from footer
  or 2 of (
    strings.icontains(body.current_thread.text, 'Google LLC'),
    strings.icontains(body.current_thread.text, '1600 Amphitheatre Parkway'),
    strings.icontains(body.current_thread.text, 'Mountain View, CA 94043'),
  )
)
and not all(body.links, .href_url.domain.root_domain in ("google.com"))
and sender.email.domain.root_domain not in $org_domains
and sender.email.domain.root_domain not in ("google.com")
and not (
  all(headers.references, strings.ends_with(., '@docs-share.google.com'))
  and headers.return_path.domain.domain == "doclist.bounces.google.com"
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  profile.by_sender().solicited == false
  or profile.by_sender_email().prevalence == "new"
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not profile.by_sender().any_messages_benign

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started

Brand impersonation: Google Drive fake file share

Labels

Description

References

Playground

Share

Get Started. Today.