• Sublime Core Feed
Medium Severity

Open Redirect: Google domain with /url path and suspicious indicators

Labels

Credential Phishing
Evasion
Open redirect
Computer Vision
Content analysis
File analysis
Header analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis
URL analysis

Description

This rule examines messages containing image attachments that utilize Google's open redirect (google[.]com/url...). To enhance accuracy and minimize false positives, the rule conducts additional assessments for suspicious indicators, as indicated in the comments.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Jan 10th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// All attachments are images or 0 attachments
and (
  (length(attachments) > 0 and all(attachments, .file_type in $file_types_images))
  or length(attachments) == 0
)
and sender.email.domain.root_domain not in $org_domains
// negate auth'ed google messages
and not (
  sender.email.domain.sld == "google"
  and sender.email.local_part in ("googlealerts-noreply", "comments-noreply")
  and headers.auth_summary.spf.pass
  and headers.auth_summary.dmarc.pass
)
// not a reply
and (
  length(headers.references) == 0
  or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
// With a Google Redirect
and any(body.links,
        (
          .href_url.domain.sld == "google"
          and .href_url.path == "/url"
          and regex.contains(.href_url.query_params, "hl=.{2}&q=http(s)?://")
        )
        or any(.href_url.rewrite.encoders, . == 'google_open_redirect')
)
and 2 of (
  // Not a google logo
  any(attachments,
      .file_type in $file_types_images
      and (
        any(ml.logo_detect(.).brands, not strings.starts_with(.name, "Google"))
        or any(ml.logo_detect(beta.message_screenshot()).brands,
               not strings.starts_with(.name, "Google")
        )
      )
  ),
  // Body analysis - NLU - Credential theft
  (
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence in~ ("medium", "high")
    )
  ),
  // Image analysis - NLU - Credential theft language
  (
    any(attachments,
        .file_type in $file_types_images
        and any(file.explode(.),
                any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft")
        )
    )
  ),
  // Content analysis - Body - Urgency
  (
    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
  ),

  // White font is found in html raw
  (
    length(body.html.display_text) < 500
    and regex.icontains(body.html.raw,
                        '<div style="color: #fff(fff)?.[^<]+<\/div><\/div><\/body><\/html>$'
    )
  )

  // domains using .app matching this pattern observed abusing google's redirect
  or regex.icontains(sender.email.domain.domain, '[a-z]{3,}\.\d{5,}[^\.]+\.app$')
)
MQL Rule Console
•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started