High Severity
Google Drive abuse: Credential phishing link
Description
This rule detects legitimate Google Drive shares that link to files on Google Drive that host credential phishing content.
The file is usually a PDF that impersonates a legitimate brand, with credential theft language, and a button or link to an external site that steals login credentials.
References
No references.
Sublime Security
Created Nov 30th, 2023 • Last updated Jul 31st, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and sender.email.email in (
"drive-shares-dm-noreply@google.com",
"drive-shares-noreply@google.com"
)
// malicious observed shares don't include the google "Added you as an editor" phrase.
// allowing user edits to a malicous document could neuter the threat
and not strings.contains(body.current_thread.text, "added you as an editor")
and any(filter(body.links,
.href_url.domain.domain != "support.google.com"
and .display_text == "Open"
),
(
(
ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
)
and length(ml.logo_detect(ml.link_analysis(., mode="aggressive").screenshot
).brands
) > 0
)
or any(file.explode(ml.link_analysis(.).screenshot),
(
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
and (
length(ml.logo_detect(ml.link_analysis(..).screenshot).brands
) > 0
and ml.link_analysis(..).credphish.disposition == "phishing"
)
)
and not ml.link_analysis(..).effective_url.domain.domain == "accounts.google.com"
// standard Google Docs error
and not strings.contains(.scan.ocr.raw,
"encountered an error. Please try reloading this page"
)
)
)
Playground
Test against your own EMLs or sample data.