Low Severity
Impersonation: Chrome Web Store Policy
Description
Detects messages impersonating Chrome Web Store policy communications, including fake extension security alerts and policy acceptance requests. Messages using observed domains and specific HTML formatting patterns typical of this impersonation.
References
Sublime Security
Created Jan 15th, 2025 • Last updated Mar 18th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and sender.email.domain.domain != 'gmail.com'
and (
// subject and sender
sender.email.domain.root_domain in (
"chromeforextension.com",
"forextensions.com",
"supportchromestore.com"
)
or (
2 of (
strings.icontains(sender.email.domain.root_domain, 'chrome'),
strings.icontains(sender.email.domain.root_domain, 'support'),
strings.icontains(sender.email.domain.root_domain, 'extension'),
strings.icontains(sender.email.domain.root_domain, 'webstore')
)
)
or strings.icontains(sender.email.local_part, 'chromewebstore')
or strings.icontains(sender.display_name, "Webstore Extension")
or strings.icontains(subject.subject, 'Chrome Web Store Policy')
// body and html
or strings.icontains(body.html.raw,
'<div style="background-color:rgb(65,132,243);padding:50px 20px 0px">'
)
or regex.icontains(body.current_thread.text,
'Item name: [^\s]+ security extension'
)
or strings.icontains(body.current_thread.text,
'Chrome Web Store Developer Support'
)
or strings.icontains(body.current_thread.text, 'Developer Program Policies')
or strings.icontains(body.current_thread.text,
'Relevant section of the program policy:'
)
or strings.icontains(body.current_thread.text,
'Please accept our policies to continue publishing your products.'
)
// links
or (
length(distinct(body.links, .href_url.domain.root_domain)) < 10
and any(body.links,
.href_url.domain.root_domain in (
"checkpolicy.site",
"extensionpolicyprivacy.com",
"extensionpolicy.net",
"policyextension.info"
)
or .href_url.path == '/extension-policy-check'
or .display_text == "Go To Policy"
)
)
)
// negate messages sent by Google support
and not (
sender.email.domain.root_domain == 'google.com'
and headers.auth_summary.dmarc.pass
)
Playground
Test against your own EMLs or sample data.