Brand impersonation: Google fake sign-in warning

name: "Brand impersonation: Google fake sign-in warning"
description: |
  Detects messages with image attachments containing fake Google sign-in warnings with no links leading to Google sites.
type: "rule"
severity: "high"
source: |
  type.inbound
  and length(body.links) > 0
  
  // Google Logo in Attachment
  and any(attachments,
          .file_type in $file_types_images
          and any(ml.logo_detect(.).brands, .name in ("Google"))
  )
  and any(attachments,
          .file_type in $file_types_images
          and (
            any(file.explode(.),
                // Fake activity warning
                3 of (
                  strings.ilike(.scan.ocr.raw, "*new sign-in*"),
                  strings.ilike(.scan.ocr.raw, "*google account*"),
                  strings.ilike(.scan.ocr.raw, "*secure your account*"),
                  strings.ilike(.scan.ocr.raw, "*check activity*"),
                )
            )
          )
  )
  
  // legitimate sign-in warnings contains links to google, gmail or googleapis.com
  and (
    not all(body.links,
            .href_url.domain.root_domain in (
              "google.com",
              "gmail.com",
              "googleapis.com"
            )
            or .href_url.domain.root_domain is null
    )
  )
  and sender.email.domain.root_domain not in $org_domains
  and sender.email.domain.root_domain != "google.com"
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Computer Vision"
  - "File analysis"
  - "Optical Character Recognition"
  - "Sender analysis"
  - "URL analysis"
id: "2d998eee-476b-5f9c-a244-3c11f79138dd"