Google Drive direct download link from unsolicited sender

name: "Google Drive direct download link from unsolicited sender"
description: |
  This rule detects Google Drive links that use the direct download URL pattern which automatically downloads files when clicked. This pattern is frequently used by threat actors to distribute malware.
  
  The links are formatted like: drive.google.com/uc?id=FILE_ID&export=download
  
  These links skip the preview page and immediately download the file to the user's device, which can be dangerous for recipients. Threat actors exploit this pattern to directly distribute malware while appearing to share legitimate content from a trusted service.
type: "rule"
severity: "medium"
source: |
  type.inbound
  and 0 < length(body.links) < 10
  and any(body.links,
          (
            // Match Google Drive direct download links
            strings.icontains(.href_url.url, "drive.google.com/uc") 
            and (
              strings.icontains(.href_url.url, "export=download")
              or strings.icontains(.href_url.query_params, "export=download")
            )
          )
  )
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
  and (
    // Only trigger on unsolicited senders
    not profile.by_sender().solicited
    or (
      // Or senders with suspicious history
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )

tags:
  - "Attack surface reduction"
attack_types:
  - "Malware/Ransomware"
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Social engineering"
  - "Free file host"
detection_methods:
  - "URL analysis"
  - "Sender analysis"
  - "Content analysis"
id: "78a19343-cfe7-5fd5-9816-dcb4293b705d"