Google Notification alert link from non-Google sender

name: "Google Notification alert link from non-Google sender"
description: "This rule detects messages that leverage a link to notifications.google.com not from google and from an untrusted sender. Commonly abused in salesforce phishing campaigns. "
type: "rule"
references:
  - "https://www.reddit.com/r/Scams/comments/15oilcr/meta_business_suite_messenger_phishing_scam_can/"
severity: "medium"
source: |
  type.inbound
  // ignore messages from google[.]com unlesss they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in ("google.com", "youtube.com", "nest.com")
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in (
      "google.com",
      "youtube.com",
      "nest.com"
    )
  )
  and any(body.links,
          .href_url.domain.domain == "notifications.google.com"
          and strings.starts_with(.href_url.path, "/g/p/")
  )
  and (
    any($suspicious_subjects, strings.icontains(subject.subject, .))
    or strings.ilike(subject.subject, '*verification*')
  )
  and (
    (
      profile.by_sender().prevalence in ("new", "outlier")
      and not profile.by_sender().solicited
    )
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
    // we've observed salesforce abuse
    or sender.email.domain.root_domain == "salesforce.com"
    or headers.return_path.domain.root_domain == "salesforce.com"
  )
  and not profile.by_sender().any_messages_benign
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Sender analysis"
  - "URL analysis"
id: "a1c1acfd-9b3b-58a7-81f1-b2c631b02985"