← Back to Explore
sublimehighRule
Link: Multistage landing - Published Google Doc
A Google Docs document contains suspicious text and links that redirect to either newly registered domains, free subdomain hosts, URL shorteners, or domains with suspicious TLDs.
Detection Query
type.inbound
and not sender.email.domain.domain == "google.com"
and length(distinct(filter(body.links,
.href_url.domain.domain == "docs.google.com"
),
.href_url.url
)
) < 3
and any(filter(body.links,
.href_url.domain.domain == "docs.google.com"
and (
any(ml.nlu_classifier(.display_text).entities,
.name == "request"
)
or any(ml.nlu_classifier(.display_text).intents,
.name == "cred_theft"
)
)
),
strings.istarts_with(ml.link_analysis(., mode="aggressive").final_dom.display_text,
"Published using Google Docs"
)
// filter down to links in the document where the display text is suspicious
and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
any(ml.nlu_classifier(.display_text).entities,
.name == "request"
)
or any(ml.nlu_classifier(.display_text).intents,
.name == "cred_theft"
)
),
(
// any of those links domains are new
network.whois(.href_url.domain).days_old < 30
// go to free subdomains hosts
or (
.href_url.domain.root_domain in $free_subdomain_hosts
// where there is a subdomain
and .href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
)
// go to url shortners
or .href_url.domain.root_domain in $url_shorteners
or .href_url.domain.root_domain in $social_landing_hosts
or .href_url.domain.domain in $url_shorteners
or .href_url.domain.domain in $social_landing_hosts
// go to suspicious TLDs
or .href_url.domain.tld in $suspicious_tlds
// check for a second stage website that contains a suspicious link
// in other words, this LA call is inspecting links in sites on the Google Doc page
// we have seen Google Docs -> Google Slides (which this call is inspecting) -> malicious site
or any(ml.link_analysis(.href_url).final_dom.links,
.href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.domain in $free_file_hosts
or (
.href_url.domain.root_domain in $free_subdomain_hosts
// where there is a subdomain
and .href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
)
or .href_url.domain.root_domain in $url_shorteners
or .href_url.domain.root_domain in $social_landing_hosts
or .href_url.domain.domain in $url_shorteners
or .href_url.domain.domain in $social_landing_hosts
// go to suspicious TLDs
or .href_url.domain.tld in $suspicious_tlds
)
)
)
)
and not (
length(headers.reply_to) == 1
and all(headers.reply_to, .email.domain.domain in $org_domains)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Multistage landing - Published Google Doc"
description: "A Google Docs document contains suspicious text and links that redirect to either newly registered domains, free subdomain hosts, URL shorteners, or domains with suspicious TLDs."
type: "rule"
severity: "high"
source: |
type.inbound
and not sender.email.domain.domain == "google.com"
and length(distinct(filter(body.links,
.href_url.domain.domain == "docs.google.com"
),
.href_url.url
)
) < 3
and any(filter(body.links,
.href_url.domain.domain == "docs.google.com"
and (
any(ml.nlu_classifier(.display_text).entities,
.name == "request"
)
or any(ml.nlu_classifier(.display_text).intents,
.name == "cred_theft"
)
)
),
strings.istarts_with(ml.link_analysis(., mode="aggressive").final_dom.display_text,
"Published using Google Docs"
)
// filter down to links in the document where the display text is suspicious
and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
any(ml.nlu_classifier(.display_text).entities,
.name == "request"
)
or any(ml.nlu_classifier(.display_text).intents,
.name == "cred_theft"
)
),
(
// any of those links domains are new
network.whois(.href_url.domain).days_old < 30
// go to free subdomains hosts
or (
.href_url.domain.root_domain in $free_subdomain_hosts
// where there is a subdomain
and .href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
)
// go to url shortners
or .href_url.domain.root_domain in $url_shorteners
or .href_url.domain.root_domain in $social_landing_hosts
or .href_url.domain.domain in $url_shorteners
or .href_url.domain.domain in $social_landing_hosts
// go to suspicious TLDs
or .href_url.domain.tld in $suspicious_tlds
// check for a second stage website that contains a suspicious link
// in other words, this LA call is inspecting links in sites on the Google Doc page
// we have seen Google Docs -> Google Slides (which this call is inspecting) -> malicious site
or any(ml.link_analysis(.href_url).final_dom.links,
.href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.domain in $free_file_hosts
or (
.href_url.domain.root_domain in $free_subdomain_hosts
// where there is a subdomain
and .href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
)
or .href_url.domain.root_domain in $url_shorteners
or .href_url.domain.root_domain in $social_landing_hosts
or .href_url.domain.domain in $url_shorteners
or .href_url.domain.domain in $social_landing_hosts
// go to suspicious TLDs
or .href_url.domain.tld in $suspicious_tlds
)
)
)
)
and not (
length(headers.reply_to) == 1
and all(headers.reply_to, .email.domain.domain in $org_domains)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Free file host"
- "Social engineering"
detection_methods:
- "Natural Language Understanding"
- "URL analysis"
- "Whois"
id: "031e1ff8-3d7d-5bbe-8e61-f5f3d19e9760"