EXPLORE
Sign In
← Back to Explore
sublimelowRule

Spam: Sexually explicit Google group invitation

Detects suspicious Google Groups invitations containing inappropriate content or suspicious patterns. The rule looks for invites from non-organizational domains that contain random alphanumeric strings, explicit keywords, or suspicious call-to-action phrases in the group names or descriptions.

MITRE ATT&CK

T1566T1598
initial-access

Detection Query

type.inbound
// 
//  Warning: This rule contains sexually explicit keywords
// 
and sender.email.email == "noreply@groups.google.com"
and (
  strings.istarts_with(subject.base, 'Invitation to join ')
  or strings.istarts_with(subject.base, 'You have been added to ')
  // the group name contains sexually explicit keywords
  // this regex should be kept in sync between the Google Group, Google Drive Share, and Looker Studio rules
  or regex.icontains(subject.base,
                     '(?:Invitation to join|You have been added to) .*(?:sex|horny|cock|fuck|\bass\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|\blust\b|desire|intimate|explicit|fetish|kinky|seduce|adult community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner)'
  )
)
// the invite is not from an $org_domain user
and not any($org_domains,
            strings.icontains(body.current_thread.text,
                              strings.concat('@',
                                             .,
                                             ' invited you to join the '
                              )
            )
            or strings.icontains(body.current_thread.text,
                                 strings.concat('@', ., ' added you to the ')
            )
)
and (
  // the group name contains 7 char sets at the start and end and must contain a number
  regex.icontains(subject.base,
                  '(?:added to|to join) [A-Z0-9]{5,7} .*(?:[[:^ascii:]]|[[:^alpha:]]) [A-Z0-9]{5,7}$'
  )
  // calls to action in the group name
  or regex.icontains(subject.base,
                     '(?:added to|to join) .*(join|(?:click|go|tap) here)'
  )
  // it contains an emoji in the group name
  or regex.icontains(subject.base,
                     '(?:added to|to join) .*[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
  )
  // the description of the group contains sexually explicit keywords
  // this regex should be kept in sync between the Google Group and the Looker Studio rules
  or regex.icontains(body.current_thread.text,
                     '(?:about this group|message from).*(?:sex|horny|cock|fuck|\bass\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce|adult community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner).*https?://'
  )
  // the invitor is an email domain which contains 3 labels
  or (
    regex.icontains(body.current_thread.text,
                    '\n[^\@]+@(?:[a-zA-Z0-9-]{1,255}\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the)'
    )
    // where the group name contains "lists."
    and not regex.icontains(body.current_thread.text,
                            '\n[^\@]+@(?:[a-zA-Z0-9-]{1,255}\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the) [^\@]+\@lists\.'
    )
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Spam: Sexually explicit Google group invitation"
description: "Detects suspicious Google Groups invitations containing inappropriate content or suspicious patterns. The rule looks for invites from non-organizational domains that contain random alphanumeric strings, explicit keywords, or suspicious call-to-action phrases in the group names or descriptions."
type: "rule"
severity: "low"
source: |
  type.inbound
  // 
  //  Warning: This rule contains sexually explicit keywords
  // 
  and sender.email.email == "noreply@groups.google.com"
  and (
    strings.istarts_with(subject.base, 'Invitation to join ')
    or strings.istarts_with(subject.base, 'You have been added to ')
    // the group name contains sexually explicit keywords
    // this regex should be kept in sync between the Google Group, Google Drive Share, and Looker Studio rules
    or regex.icontains(subject.base,
                       '(?:Invitation to join|You have been added to) .*(?:sex|horny|cock|fuck|\bass\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|\blust\b|desire|intimate|explicit|fetish|kinky|seduce|adult community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner)'
    )
  )
  // the invite is not from an $org_domain user
  and not any($org_domains,
              strings.icontains(body.current_thread.text,
                                strings.concat('@',
                                               .,
                                               ' invited you to join the '
                                )
              )
              or strings.icontains(body.current_thread.text,
                                   strings.concat('@', ., ' added you to the ')
              )
  )
  and (
    // the group name contains 7 char sets at the start and end and must contain a number
    regex.icontains(subject.base,
                    '(?:added to|to join) [A-Z0-9]{5,7} .*(?:[[:^ascii:]]|[[:^alpha:]]) [A-Z0-9]{5,7}$'
    )
    // calls to action in the group name
    or regex.icontains(subject.base,
                       '(?:added to|to join) .*(join|(?:click|go|tap) here)'
    )
    // it contains an emoji in the group name
    or regex.icontains(subject.base,
                       '(?:added to|to join) .*[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
    )
    // the description of the group contains sexually explicit keywords
    // this regex should be kept in sync between the Google Group and the Looker Studio rules
    or regex.icontains(body.current_thread.text,
                       '(?:about this group|message from).*(?:sex|horny|cock|fuck|\bass\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce|adult community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner).*https?://'
    )
    // the invitor is an email domain which contains 3 labels
    or (
      regex.icontains(body.current_thread.text,
                      '\n[^\@]+@(?:[a-zA-Z0-9-]{1,255}\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the)'
      )
      // where the group name contains "lists."
      and not regex.icontains(body.current_thread.text,
                              '\n[^\@]+@(?:[a-zA-Z0-9-]{1,255}\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the) [^\@]+\@lists\.'
      )
    )
  )
attack_types:
  - "Spam"
tactics_and_techniques:
  - "Free email provider"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Sender analysis"
id: "4e0bec29-be9c-526f-ad56-824b4d87f55d"