• Sublime Core Feed
Medium Severity

Google Presentation Open Redirect Phishing

Labels

Credential Phishing
Evasion
Open redirect
Social engineering
URL analysis
HTML analysis

Description

Detects emails containing links to Google Document Presentations that either have a single page with a single external link, have been removed for Terms of Service violations, or have been deleted.

References

No references.

Sublime Security
Created Jun 28th, 2024 • Last updated Apr 24th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and not strings.icontains(body.current_thread.text, 'invited you to edit')
and any(body.links,
        // body link is to a google doc presentation
        .href_url.domain.domain == "docs.google.com"
        and strings.istarts_with(.href_url.path, '/presentation/')

        // prefilter some to avoid clicking on _every_ google presentation link
        and ( 
          ( 
            // make sure the display text is in the current thread and not a previous one.
            strings.icontains(body.current_thread.text, .display_text)
            // the display_text ends with a word that is 4-10 long
            and regex.icontains(.display_text, '[[:punct:]\s][a-z0-9]{5,9}$')
            // that word has to include a letter AND a number
            and regex.icontains(.display_text,
                                '[[:punct:]\s](?:[a-z0-9]*[a-z][0-9][a-z0-9]*|[a-z0-9]*[0-9][a-z][a-z0-9]*)$'
            )
            and strings.iends_with(.href_url.path, '/pub')
          )
          or 
          // finally send the link to link analysis that presentation...
          (
            // contains a slingle link
            length(ml.link_analysis(., mode="aggressive").final_dom.links) == 1

            // cannot be edited via link provided
            and strings.contains(ml.link_analysis(., mode="aggressive").final_dom.raw,
                                 'canEdit:  false'
            )

            // and a single page
            and strings.contains(ml.link_analysis(., mode="aggressive").final_dom.raw,
                                 'slidePageCount:  1.0'
            )

            // where we have links which have been written via a google open redirect
            and any(ml.link_analysis(., mode="aggressive").final_dom.links,
                    // links are not in thhe org_domains
                    .href_url.domain.domain not in $org_domains
                    and (
                      (
                        // don't include high rep domains
                        .href_url.domain.domain not in $tranco_1m
                        and .href_url.domain.domain not in $umbrella_1m
                      )
                      // if it's in Tranco or Umbrella, still include it if it's one of these
                      or .href_url.domain.domain in $free_file_hosts
                      or .href_url.domain.root_domain in $free_file_hosts
                      or .href_url.domain.root_domain in $free_subdomain_hosts
                      // or it's a url shortner
                      or .href_url.domain.root_domain in $url_shorteners
                    )
                    // which have been "unrolled" by the google_open_redirect rule
                    and any(.href_url.rewrite.encoders,
                            . == "google_open_redirect"
                    )
            )
          )
          // or the presentation has been removed for violation of terms of service
          or strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
                               "We're sorry. You can't access this item because it is in violation of our Terms of Service."
          )
        )
)
// when the sender is not google, the sender should not be a common prevalence
and (
  ( // the message is not from google actual
    sender.email.email not in (
      'comments-noreply@docs.google.com',
      'drive-shares-dm-noreply@google.com',
      'drive-shares-noreply@google.com',
      'calendar-notification@google.com'
    )
    // ensure the sender prevalence is not common
    and profile.by_sender().prevalence != "common"
  )
  // or the message is from google actual
  or (
    sender.email.email in (
      'comments-noreply@docs.google.com',
      'drive-shares-dm-noreply@google.com',
      'drive-shares-noreply@google.com',
      'calendar-notification@google.com'
    )
  )
)

// not where the sender display name of the message is within org_display_names
and not (
  // the message is from google actual
  sender.email.email in (
    'comments-noreply@docs.google.com',
    'drive-shares-dm-noreply@google.com',
    'drive-shares-noreply@google.com',
    'calendar-notification@google.com'
  )
  and headers.auth_summary.dmarc.pass

  // but the sender display name is within org_display_names
  and any($org_display_names,
          strings.istarts_with(sender.display_name,
                               strings.concat(., " (via Google ")
          )
          or strings.istarts_with(sender.display_name,
                                  strings.concat(., " (Google ")
          )
  )
)
// negate highly trusted sender domains unless they fail DMARC authentication
// but ignore high_trust if the sender is one of the google actual senders
and (
  (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and sender.email.email in (
        'comments-noreply@docs.google.com',
        'drive-shares-dm-noreply@google.com',
        'drive-shares-noreply@google.com',
        'calendar-notification@google.com'
      )
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started