• Sublime Core Feed
High Severity

Link: Multistage Landing - Abused Google Drive

Labels

Credential Phishing
Evasion
Free email provider
Free file host
Content analysis
Sender analysis
URL analysis
Whois
HTML analysis

Description

The detection rule matches on message groups which make use of Google Drive as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a common website.

References

No references.

Sublime Security
Created Sep 11th, 2024 • Last updated May 5th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound

//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
// the reply-to address is new or unsolicited
and (
  // reply-to address has never sent an email to the org
  beta.profile.by_reply_to().prevalence == "new"

  // reply-to email address has never been sent an email by the org
  or not beta.profile.by_reply_to().solicited
)

// message is from google actual
and sender.email.domain.domain == 'google.com'
and (
  sender.email.local_part == "drive-shares-noreply"
  or sender.email.local_part == "drive-shares-dm-noreply"
)
and headers.auth_summary.spf.pass
and strings.ends_with(headers.auth_summary.spf.details.designator,
                      'doclist.bounces.google.com'
)
and headers.auth_summary.dmarc.pass

// not where the reply_to address is within org_domains
and not any(headers.reply_to, .email.domain.domain in $org_domains)

// not where the sender display name is within org_display_names
and not any(regex.iextract(sender.display_name,
                           '^(?P<sender_display_name>.*)\((?:via )?Google'
            ),
            .named_groups["sender_display_name"] in~ $org_display_names
)

// threat actors dont want others to edit the share
and not strings.icontains(body.current_thread.text, 'invited you to edit')
and (
  // check the shared filed name for suspicious indicators
  // alerting keywords
  regex.icontains(strings.replace_confusables(subject.subject),
                  ': \".*(?:Immediate|Urgent|Critical|Alert|Warning|Urgent|Important|Critical Alert|Security Notice)[!:\-]?[^\"]*\"'
  )
  // account issues
  or regex.icontains(strings.replace_confusables(subject.subject),
                     ': \".*(?:Online|Bank(?:ing)?|User|Account|Access|[[:punct:]\s]?(?:ID)|Transactions)\b.*\b(?:Security|Recover|Blocked|Suspen(?:ded|sion)|Restricted|Locked|Disabled|Frozen|Closed)[^\"]*\"'
  )
  // keywords themed as Suspicious
  or regex.icontains(strings.replace_confusables(subject.subject),
                     ': \".*(Suspicious|Unauthorized|Unrecognized|Fraudulent|Scam)\b.*\b(Activity|Transaction|Log[- ]?In|Access|Entry|Sign[- ]?In|Detected)[^\"]*\"'
  )
  // account/identify verification keywords
  or regex.icontains(strings.replace_confusables(subject.subject),
                     ': \".*(?:(?:Verify|Confirm|Update|Review|Complete)\b.*\b(Your (Identity|Account|Online[- ]?ID|Billing Information))|(?:(?:Action|Attention|Verification|Review)[[:punct:]\s](?:Needed|Required)))[^\"]*\"'
  )
  or ( // filenames that in References/ID keywords
    regex.icontains(strings.replace_confusables(subject.subject),
                    ': \".*[[:punct:]\s]+\w+[[:punct:]\s]*[a-zA-Z]*[0-9][a-zA-Z0-9]*\"$'
    )
    // the above regex is a bit "open", so close it by checking it with a more specific "ending" pattern.
    and regex.icontains(strings.replace_confusables(subject.subject),
                        '[[:punct:]]\s*[a-z0-9]{5,}\"$'
    )
  )

  // finally get ready to do link analysis
  // filter out all the links, keeping only the links of interest
  or any(filter(body.links,
                // target the "Open" link
                (
                  .href_url.domain.domain == "drive.google.com"
                  and strings.icontains(.href_url.path, '/view')
                  // this isn't controlled by the actor
                  and .display_text == "Open"
                )
         ),
         // the Google Drive page has been taken down due to TOS violations
         strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
                           "You can't access this item because it is in violation of our Terms of Service"
         )
         // if not taken down
         // inspect the links on the page
         or any(filter(ml.link_analysis(., mode="aggressive").additional_responses,
                       .url.path == "/viewerng/presspage"
                ),
                any(.json,
                    any(.,
                        any(., // this gets us to the array that contains the links embedded in the PDF
                            network.whois(strings.parse_url(.).domain).days_old < 30
                            or strings.parse_url(.).domain.tld in $suspicious_tlds
                            or (
                              strings.parse_url(.).domain.root_domain in $free_subdomain_hosts
                              and strings.parse_url(.).domain.subdomain is not null
                              and strings.parse_url(.).domain.subdomain != "www"
                            )
                            or strings.parse_url(.).domain.domain in $free_file_hosts
                            or strings.parse_url(.).domain.root_domain in $free_file_hosts
                            or strings.parse_url(.).domain.domain in $url_shorteners
                            or strings.parse_url(.).domain.root_domain in $url_shorteners
                        )
                    )
                )
         )
         // if not taken down
         // filter down the links on the google drive page to those that are external to google
         or any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
                       .href_url.domain.root_domain != 'google.com'
                       // relative links (no domains)
                       and .href_url.domain.domain is not null
                ),
                (
                  // any of those links domains are new
                  network.whois(.href_url.domain).days_old < 30
                  // go to free file hosts
                  or .href_url.domain.root_domain in $free_file_hosts
                  or .href_url.domain.domain in $free_file_hosts

                  // go to free subdomains hosts
                  or (
                    .href_url.domain.root_domain in $free_subdomain_hosts
                    // where there is a subdomain
                    and .href_url.domain.subdomain is not null
                    and .href_url.domain.subdomain != "www"
                  )
                  // go to url shortners
                  or .href_url.domain.root_domain in $url_shorteners
                  or .href_url.domain.domain in $url_shorteners
                  or (
                    // find any links that mention common "action" words
                    regex.icontains(.display_text,
                                    '(?:view|click|show|access|download|continue|goto|Validate|Va[il]idar|login|verify|account)'
                    )
                    and (
                      // and when visiting those links, are phishing
                      ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"

                      // hit a captcha page
                      or ml.link_analysis(., mode="aggressive").credphish.contains_captcha

                      // or the page redirects to common website, observed when evasion happens
                      or (
                        length(ml.link_analysis(., mode="aggressive").redirect_history
                        ) > 0
                        and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
                      )
                    )
                  )
                )
         )
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started