Service abuse: Google application integration redirecting to suspicious hosts

name: "Service abuse: Google application integration redirecting to suspicious hosts"
description: "Detects legitimate Google application integration emails that contain links redirecting to free file hosting services or free subdomain hosts, including Microsoft OAuth redirects to suspicious domains. These could indicate abuse of Google's legitimate service for malicious redirects."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and sender.email.email == "noreply-application-integration@google.com"
  and headers.auth_summary.dmarc.pass
  and length(body.links) < 10
  and any(body.links,
          .href_url.domain.domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_file_hosts
          or .href_url.domain.domain in $free_subdomain_hosts
          // Mimecast link logic
          or (
            .href_url.domain.root_domain in (
              "mimecastprotect.com",
              "mimecast.com"
            )
            and any(.href_url.query_params_decoded['domain'],
                    strings.parse_domain(.).domain in $free_file_hosts
                    or strings.parse_domain(.).root_domain in $free_file_hosts
                    or strings.parse_domain(.).root_domain in $free_subdomain_hosts
                    or . in (
                      "storage.cloud.google.com",
                      "login.microsoftonline.com"
                    )
            )
          )
          or network.whois(.href_url.domain).days_old < 30
          // abuse observed
          or .href_url.domain.root_domain == "share.google"
  )
attack_types:
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
  - "Free file host"
  - "Free subdomain host"
  - "Open redirect"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
  - "URL analysis"
id: "473d3247-8f99-5130-b091-ed95a6fff5ba"