Low Severity
Spam: Sexually Explicit Google Drive Share
Description
Detects suspicious Google Drive Share which containing inappropriate content or suspicious patterns. The rule looks for reports from non-organizational domains that contain emojis or explicit keywords within the report.
References
No references.
Sublime Security
Created May 29th, 2025 • Last updated May 29th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
//
// Warning: This rule contains sexually explicit keywords
//
and sender.email.email == "drive-shares-noreply@google.com"
// the invite is not from an $org_domain user
and all(headers.reply_to,
.email.domain.domain not in $org_domains
and .email.email not in $recipient_emails
and .email.email not in $sender_emails
)
// the subject or the body contain sexually explicit keywords
and any([subject.subject, body.current_thread.text],
// this regex should be kept in sync between the Google Group and the Looker Studio rules
regex.icontains(.,
'(?:sex|horny|cock|fuck|\bass\b|pussy|dick|tits|\bcum\b|girlfriend|boyfriend|naked|porn|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|\bxxx\b|nudes?|sexting|cheating|affair|erotic|\blust\b|desire|intimate|explicit|fetish|kinky|seduce|adult\s*(?:\w+\s+){0,2}\s*community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner)'
)
)
Playground
Test against your own EMLs or sample data.