← Back to Explore
sublimemediumRule
Google Accelerated Mobile Pages (AMP) abuse
This rule is designed to identify phishing attempts abusing Google AMP's URL structure for malicious activities. The rule aims to detect specific URL patterns, further analyzing both message content, as well as the destination of the link to distinguish between legitimate Google AMP pages and potential malicious usage.
Detection Query
type.inbound
// Any body links with a domain SLD of 'google' and a path starting with /amp
and any(body.links,
.href_url.domain.sld == "google"
and strings.starts_with(.href_url.path, "/amp/")
// Brand Logo detected that is not google
and (
any(ml.logo_detect(file.message_screenshot()).brands,
.name is not null and .name != "Google"
)
// or the page has a login or captcha
or (
ml.link_analysis(.).credphish.contains_login
or ml.link_analysis(.).credphish.contains_captcha
)
// or linkanalysis concludes phishing of medium to high confidence
or any([ml.link_analysis(.)],
.credphish.disposition == "phishing"
and .credphish.brand.confidence in ("medium", "high")
)
// or NLU detected cred theft on the landing page
or any(file.explode(ml.link_analysis(.).screenshot),
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
// captcha partially loaded
or strings.icontains(.scan.ocr.raw,
"Checking if the site connection is secure"
)
)
// or the link display text contains "password"
or strings.icontains(.display_text, "password")
// or the link contains the recipients email in the url path
or any(recipients.to,
strings.icontains(..href_url.path, .email.email)
and (
.email.domain.valid
or strings.icontains(.display_name, "undisclosed")
)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Google Accelerated Mobile Pages (AMP) abuse"
description: |
This rule is designed to identify phishing attempts abusing Google AMP's URL structure for malicious activities.
The rule aims to detect specific URL patterns, further analyzing both message content, as well as the destination of the link to distinguish
between legitimate Google AMP pages and potential malicious usage.
references:
- "https://cofense.com/blog/google-amp-the-newest-of-evasive-phishing-tactic/"
type: "rule"
severity: "medium"
source: |
type.inbound
// Any body links with a domain SLD of 'google' and a path starting with /amp
and any(body.links,
.href_url.domain.sld == "google"
and strings.starts_with(.href_url.path, "/amp/")
// Brand Logo detected that is not google
and (
any(ml.logo_detect(file.message_screenshot()).brands,
.name is not null and .name != "Google"
)
// or the page has a login or captcha
or (
ml.link_analysis(.).credphish.contains_login
or ml.link_analysis(.).credphish.contains_captcha
)
// or linkanalysis concludes phishing of medium to high confidence
or any([ml.link_analysis(.)],
.credphish.disposition == "phishing"
and .credphish.brand.confidence in ("medium", "high")
)
// or NLU detected cred theft on the landing page
or any(file.explode(ml.link_analysis(.).screenshot),
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
// captcha partially loaded
or strings.icontains(.scan.ocr.raw,
"Checking if the site connection is secure"
)
)
// or the link display text contains "password"
or strings.icontains(.display_text, "password")
// or the link contains the recipients email in the url path
or any(recipients.to,
strings.icontains(..href_url.path, .email.email)
and (
.email.domain.valid
or strings.icontains(.display_name, "undisclosed")
)
)
)
)
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Impersonation: Brand"
- "Open redirect"
detection_methods:
- "Computer Vision"
- "Content analysis"
- "Natural Language Understanding"
- "Optical Character Recognition"
- "Sender analysis"
- "URL analysis"
- "URL screenshot"
id: "46907029-ef83-50a8-9198-75af39dd5f3b"