Medium Severity

Link to Google Apps Script macro via comment tagging

Labels

Credential Phishing

Malware/Ransomware

Description

Message contains a Google Apps Script macro link invoked from a comment on Google Slides|Docs. App Scripts can run arbitrary code, including redirecting the user to a malicious web page.

References

https://twitter.com/bunnymaid/status/1415478829162762240

https://playground.sublimesecurity.com?id=de1a2916-3812-4caa-a443-d1986487d772

Sublime Security

Created Aug 17th, 2023 • Last updated Jan 12th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and regex.contains(sender.display_name, '\(Google (Slides|Docs)')
and any(body.links,
        .href_url.domain.domain == "script.google.com"
        and strings.ilike(.href_url.path, "/macros*")
)
and 1 of (
  strings.ilike(body.plain.raw, '*you have ? hours*'),
  strings.ilike(body.plain.raw, '*transfer of funds*'),
  strings.ilike(body.plain.raw, '*order your funds*')
  // Or the Sender Display Name is not in your Org Display Names
  or not any($org_display_names,
             strings.istarts_with(sender.display_name,
                                  strings.concat(., " (Google ")
             )
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.