← Back to Explore
sublimemediumRule
Link: Google Forms link with credential theft language
Detects messages containing Google Forms links paired with credential theft language from new senders. This technique abuses Google's trusted domain to host malicious forms designed to steal user credentials.
Detection Query
type.inbound
// cred_theft intent
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
// google form link
and any(body.current_thread.links,
.href_url.domain.domain == "docs.google.com"
and strings.istarts_with(.href_url.path, '/form')
)
// new sender
and profile.by_sender_email().prevalence == "new"
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Link: Google Forms link with credential theft language"
description: "Detects messages containing Google Forms links paired with credential theft language from new senders. This technique abuses Google's trusted domain to host malicious forms designed to steal user credentials."
type: "rule"
severity: "medium"
source: |
type.inbound
// cred_theft intent
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
// google form link
and any(body.current_thread.links,
.href_url.domain.domain == "docs.google.com"
and strings.istarts_with(.href_url.path, '/form')
)
// new sender
and profile.by_sender_email().prevalence == "new"
tags:
- "Attack surface reduction"
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Social engineering"
detection_methods:
- "Natural Language Understanding"
- "Sender analysis"
- "URL analysis"
id: "0cad40e2-dfe8-5d95-b611-b963a0918f61"