• Sublime Core Feed
High Severity

Brand impersonation: Google fake sign-in warning

Labels

Credential Phishing
Impersonation: Brand
Social engineering
Computer Vision
File analysis
Optical Character Recognition
Sender analysis
URL analysis

Description

Detects messages with image attachments containing fake Google sign-in warnings with no links leading to Google sites.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Jan 12th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(body.links) > 0

// Google Logo in Attachment
and any(attachments,
        .file_type in $file_types_images
        and any(ml.logo_detect(.).brands, .name in ("Google"))
)
and any(attachments,
        .file_type in $file_types_images
        and (
          any(file.explode(.),
              // Fake activity warning
              3 of (
                strings.ilike(.scan.ocr.raw, "*new sign-in*"),
                strings.ilike(.scan.ocr.raw, "*google account*"),
                strings.ilike(.scan.ocr.raw, "*secure your account*"),
                strings.ilike(.scan.ocr.raw, "*check activity*"),
              )
          )
        )
)

// legitimate sign-in warnings contains links to google, gmail or googleapis.com
and (
  not all(body.links,
          .href_url.domain.root_domain in (
            "google.com",
            "gmail.com",
            "googleapis.com"
          )
          or .href_url.domain.root_domain is null
  )
)
and sender.email.domain.root_domain not in $org_domains
and sender.email.domain.root_domain != "google.com"
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started