Medium Severity
Service Abuse: Google Drive Share From New Reply-To Domain
Description
A Google Drive sharing notification containing a reply-to address from a recently registered domain (less than 30 days old). The reply-to domain does not match any organizational domains.
References
No references.
Sublime Security
Created Jan 9th, 2025 • Last updated Jan 9th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and sender.email.email in (
'drive-shares-dm-noreaply@google.com',
'drive-shares-noreply@google.com',
)
and not any(headers.reply_to, .email.domain.domain in $org_domains)
// the message needs to have a reply-to address
and length(headers.reply_to) > 0
// new reply-to
and any(headers.reply_to, network.whois(.email.domain).days_old < 30)
Playground
Test against your own EMLs or sample data.