EXPLORE
Sign In
← Back to Explore
sublimelowRule

Impersonation: Chrome Web Store policy

Detects messages impersonating Chrome Web Store policy communications, including fake extension security alerts and policy acceptance requests. Messages using observed domains and specific HTML formatting patterns typical of this impersonation.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1598.003T1583.001
initial-access

Detection Query

type.inbound
and sender.email.domain.domain != 'gmail.com'
and (
  // subject and sender
  sender.email.domain.root_domain in (
    "chromeforextension.com",
    "forextensions.com",
    "supportchromestore.com"
  )
  or (
    2 of (
      strings.icontains(sender.email.domain.root_domain, 'chrome'),
      strings.icontains(sender.email.domain.root_domain, 'support'),
      strings.icontains(sender.email.domain.root_domain, 'extension'),
      strings.icontains(sender.email.domain.root_domain, 'webstore')
    )
  )
  or strings.icontains(sender.email.local_part, 'chromewebstore')
  or strings.icontains(sender.display_name, "Webstore Extension")
  or strings.icontains(subject.subject, 'Chrome Web Store Policy')
  // body and html
  or strings.icontains(body.html.raw,
                       '<div style="background-color:rgb(65,132,243);padding:50px 20px 0px">'
  )
  or regex.icontains(body.current_thread.text,
                     'Item name: [^\s]+ security extension'
  )
  or strings.icontains(body.current_thread.text,
                       'Chrome Web Store Developer Support'
  )
  or strings.icontains(body.current_thread.text, 'Developer Program Policies')
  or strings.icontains(body.current_thread.text,
                       'Relevant section of the program policy:'
  )
  or strings.icontains(body.current_thread.text,
                       'Please accept our policies to continue publishing your products.'
  )

  // links
  or (
    length(distinct(body.links, .href_url.domain.root_domain)) < 10
    and any(body.links,
            .href_url.domain.root_domain in (
              "checkpolicy.site",
              "extensionpolicyprivacy.com",
              "extensionpolicy.net",
              "policyextension.info"
            )
            or .href_url.path == '/extension-policy-check'
            or .display_text == "Go To Policy"
    )
  )
)
// negate messages sent by Google support
and not (
  sender.email.domain.root_domain == 'google.com'
  and headers.auth_summary.dmarc.pass
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

References

Raw Content
name: "Impersonation: Chrome Web Store policy"
description: "Detects messages impersonating Chrome Web Store policy communications, including fake extension security alerts and policy acceptance requests. Messages using observed domains and specific HTML formatting patterns typical of this impersonation."
references:
  - "https://www.cyberhaven.com/engineering-blog/cyberhavens-preliminary-analysis-of-the-recent-malicious-chrome-extension"
  - "https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/"
type: "rule"
severity: "low"
source: |
  type.inbound
  and sender.email.domain.domain != 'gmail.com'
  and (
    // subject and sender
    sender.email.domain.root_domain in (
      "chromeforextension.com",
      "forextensions.com",
      "supportchromestore.com"
    )
    or (
      2 of (
        strings.icontains(sender.email.domain.root_domain, 'chrome'),
        strings.icontains(sender.email.domain.root_domain, 'support'),
        strings.icontains(sender.email.domain.root_domain, 'extension'),
        strings.icontains(sender.email.domain.root_domain, 'webstore')
      )
    )
    or strings.icontains(sender.email.local_part, 'chromewebstore')
    or strings.icontains(sender.display_name, "Webstore Extension")
    or strings.icontains(subject.subject, 'Chrome Web Store Policy')
    // body and html
    or strings.icontains(body.html.raw,
                         '<div style="background-color:rgb(65,132,243);padding:50px 20px 0px">'
    )
    or regex.icontains(body.current_thread.text,
                       'Item name: [^\s]+ security extension'
    )
    or strings.icontains(body.current_thread.text,
                         'Chrome Web Store Developer Support'
    )
    or strings.icontains(body.current_thread.text, 'Developer Program Policies')
    or strings.icontains(body.current_thread.text,
                         'Relevant section of the program policy:'
    )
    or strings.icontains(body.current_thread.text,
                         'Please accept our policies to continue publishing your products.'
    )
  
    // links
    or (
      length(distinct(body.links, .href_url.domain.root_domain)) < 10
      and any(body.links,
              .href_url.domain.root_domain in (
                "checkpolicy.site",
                "extensionpolicyprivacy.com",
                "extensionpolicy.net",
                "policyextension.info"
              )
              or .href_url.path == '/extension-policy-check'
              or .display_text == "Go To Policy"
      )
    )
  )
  // negate messages sent by Google support
  and not (
    sender.email.domain.root_domain == 'google.com'
    and headers.auth_summary.dmarc.pass
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Free email provider"
  - "Lookalike domain"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "HTML analysis"
  - "Sender analysis"
  - "URL analysis"
id: "4a98f283-8cc6-5864-bafb-e1908d0a5a8b"