High Severity

Link: Multistage Landing - Published Google Doc

Labels

Credential Phishing

Free file host

Social engineering

Natural Language Understanding

URL analysis

Whois

Description

A Google Docs document contains suspicious text and links that redirect to either newly registered domains, free subdomain hosts, URL shorteners, or domains with suspicious TLDs.

References

No references.

Sublime Security

Created May 14th, 2025 • Last updated May 14th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and not sender.email.domain.domain == "google.com"
and length(distinct(filter(body.links,
                           .href_url.domain.domain == "docs.google.com"
                    ),
                    .href_url.url
           )
) < 3
and any(filter(body.links,
               .href_url.domain.domain == "docs.google.com"
               and (
                 any(ml.nlu_classifier(.display_text).entities,
                     .name == "request"
                 )
                 or any(ml.nlu_classifier(.display_text).intents,
                        .name == "cred_theft"
                 )
               )
        ),
        strings.istarts_with(ml.link_analysis(., mode="aggressive").final_dom.display_text,
                             "Published using Google Docs"
        )
        // filter down to links in the document where the display text is suspicious
        and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
                       any(ml.nlu_classifier(.display_text).entities,
                           .name == "request"
                       )
                       or any(ml.nlu_classifier(.display_text).intents,
                              .name == "cred_theft"
                       )
                ),
                (
                  // any of those links domains are new
                  network.whois(.href_url.domain).days_old < 30

                  // go to free subdomains hosts
                  or (
                    .href_url.domain.root_domain in $free_subdomain_hosts
                    // where there is a subdomain
                    and .href_url.domain.subdomain is not null
                    and .href_url.domain.subdomain != "www"
                  )
                  // go to url shortners
                  or .href_url.domain.root_domain in $url_shorteners
                  or .href_url.domain.domain in $url_shorteners

                  // go to suspicious TLDs
                  or .href_url.domain.tld in $suspicious_tlds

                  // check for a second stage website that contains a suspicious link
                  // in other words, this LA call is inspecting links in sites on the Google Doc page
                  // we have seen Google Docs -> Google Slides (which this call is inspecting) -> malicious site
                  or any(ml.link_analysis(.href_url).final_dom.links,
                         .href_url.domain.root_domain in $free_file_hosts
                         or .href_url.domain.domain in $free_file_hosts
                         or (
                           .href_url.domain.root_domain in $free_subdomain_hosts
                           // where there is a subdomain
                           and .href_url.domain.subdomain is not null
                           and .href_url.domain.subdomain != "www"
                         )
                         or .href_url.domain.root_domain in $url_shorteners
                         or .href_url.domain.domain in $url_shorteners

                         // go to suspicious TLDs
                         or .href_url.domain.tld in $suspicious_tlds
                  )
                )
        )
)
and not (
  length(headers.reply_to) == 1
  and all(headers.reply_to, .email.domain.domain in $org_domains)
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.