EXPLORE
Sign In
← Back to Explore
sublimehighRule

Link to auto-downloaded file with Google Drive branding

A link in the body of the email downloads a file from a site that uses Google Drive branding as employed by threat actors, such as Qakbot.

MITRE ATT&CK

T1566.001T1204.002T1486T1566.002T1598.003T1566T1598
initial-access

Detection Query

type.inbound
and length(body.links) < 10
and any(body.links,
        // This isn't a Google Drive link
        .href_url.domain.root_domain != "google.com"
        and 

        // There are files downloaded
        length(ml.link_analysis(.).files_downloaded) > 0
        and 

        // Google Drive branding
        ml.link_analysis(.).credphish.brand.name == "GoogleDrive"
        and ml.link_analysis(.).credphish.brand.confidence == "high"
        and 

        // Hi from Qakbot
        any(file.explode(ml.link_analysis(.).screenshot),
            any([
                  "the file is not displayed correctly",
                  "use local downloaded file"
                ],
                strings.icontains(..scan.ocr.raw, .)
            )
        )
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

References

Tags

Malfam: QakBot
Raw Content
name: "Link to auto-downloaded file with Google Drive branding"
description: |
  A link in the body of the email downloads a file from a site that uses Google Drive branding as employed by threat actors, such as Qakbot.
type: "rule"
references:
  - "https://delivr.to/payloads?id=ef39f124-6766-491c-a46c-00f2b60aa7a7"
  - "https://twitter.com/pr0xylife/status/1598016053787123713"
severity: "high"
source: |
  type.inbound
  and length(body.links) < 10
  and any(body.links,
          // This isn't a Google Drive link
          .href_url.domain.root_domain != "google.com"
          and 
  
          // There are files downloaded
          length(ml.link_analysis(.).files_downloaded) > 0
          and 
  
          // Google Drive branding
          ml.link_analysis(.).credphish.brand.name == "GoogleDrive"
          and ml.link_analysis(.).credphish.brand.confidence == "high"
          and 
  
          // Hi from Qakbot
          any(file.explode(ml.link_analysis(.).screenshot),
              any([
                    "the file is not displayed correctly",
                    "use local downloaded file"
                  ],
                  strings.icontains(..scan.ocr.raw, .)
              )
          )
  )
  and (
    not profile.by_sender().solicited
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
tags:
  - "Malfam: QakBot"
attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "File analysis"
  - "Optical Character Recognition"
  - "URL analysis"
  - "URL screenshot"
id: "4b5343be-9b10-58a3-8d14-a1bae1eebc62"