Medium Severity
Google Accelerated Mobile Pages (AMP) abuse
Description
This rule is designed to identify phishing attempts abusing Google AMP's URL structure for malicious activities. The rule aims to detect specific URL patterns, further analyzing both message content, as well as the destination of the link to distinguish between legitimate Google AMP pages and potential malicious usage.
Sublime Security
Created Aug 17th, 2023 • Last updated Apr 25th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
// Any body links with a domain SLD of 'google' and a path starting with /amp
and any(body.links,
.href_url.domain.sld == "google"
and strings.starts_with(.href_url.path, "/amp/")
// Brand Logo detected that is not google
and (
any(ml.logo_detect(beta.message_screenshot()).brands,
.name is not null and .name != "Google"
)
// or the page has a login or captcha
or (
ml.link_analysis(.).credphish.contains_login
or ml.link_analysis(.).credphish.contains_captcha
)
// or linkanalysis concludes phishing of medium to high confidence
or any([ml.link_analysis(.)],
.credphish.disposition == "phishing"
and .credphish.brand.confidence in ("medium", "high")
)
// or NLU detected cred theft on the landing page
or any(file.explode(ml.link_analysis(.).screenshot),
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
// captcha partially loaded
or strings.icontains(.scan.ocr.raw, "Checking if the site connection is secure")
)
// or the link display text contains "password"
or strings.icontains(.display_text, "password")
// or the link contains the recipients email in the url path
or any(recipients.to, strings.icontains(..href_url.path, .email.email) and (.email.domain.valid or strings.icontains(.display_name, "undisclosed")))
)
)
Playground
Test against your own EMLs or sample data.