← Back to Explore
sublimehighRule
Google Drive abuse: Credential phishing link
This rule detects legitimate Google Drive shares that link to files on Google Drive that host credential phishing content. The file is usually a PDF that impersonates a legitimate brand, with credential theft language, and a button or link to an external site that steals login credentials.
Detection Query
type.inbound
and sender.email.email in (
"drive-shares-dm-noreply@google.com",
"drive-shares-noreply@google.com"
)
// malicious observed shares don't include the google "Added you as an editor" phrase.
// allowing user edits to a malicous document could neuter the threat
and not strings.contains(body.current_thread.text, "added you as an editor")
and any(filter(body.links,
.href_url.domain.domain != "support.google.com"
and .display_text == "Open"
),
(
(
ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
)
and length(ml.logo_detect(ml.link_analysis(., mode="aggressive").screenshot
).brands
) > 0
)
or any(file.explode(ml.link_analysis(.).screenshot),
(
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
and (
length(ml.logo_detect(ml.link_analysis(..).screenshot).brands
) > 0
and ml.link_analysis(..).credphish.disposition == "phishing"
)
)
and not ml.link_analysis(..).effective_url.domain.domain == "accounts.google.com"
// standard Google Docs error
and not strings.contains(.scan.ocr.raw,
"encountered an error. Please try reloading this page"
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Google Drive abuse: Credential phishing link"
description: |
This rule detects legitimate Google Drive shares that link to files on Google Drive that host credential phishing content.
The file is usually a PDF that impersonates a legitimate brand, with credential theft language, and a button or link to an external site that steals login credentials.
type: "rule"
severity: "high"
source: |
type.inbound
and sender.email.email in (
"drive-shares-dm-noreply@google.com",
"drive-shares-noreply@google.com"
)
// malicious observed shares don't include the google "Added you as an editor" phrase.
// allowing user edits to a malicous document could neuter the threat
and not strings.contains(body.current_thread.text, "added you as an editor")
and any(filter(body.links,
.href_url.domain.domain != "support.google.com"
and .display_text == "Open"
),
(
(
ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
)
and length(ml.logo_detect(ml.link_analysis(., mode="aggressive").screenshot
).brands
) > 0
)
or any(file.explode(ml.link_analysis(.).screenshot),
(
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
and (
length(ml.logo_detect(ml.link_analysis(..).screenshot).brands
) > 0
and ml.link_analysis(..).credphish.disposition == "phishing"
)
)
and not ml.link_analysis(..).effective_url.domain.domain == "accounts.google.com"
// standard Google Docs error
and not strings.contains(.scan.ocr.raw,
"encountered an error. Please try reloading this page"
)
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Free file host"
- "Impersonation: Brand"
detection_methods:
- "Computer Vision"
- "Natural Language Understanding"
- "Optical Character Recognition"
- "Sender analysis"
- "URL analysis"
- "URL screenshot"
id: "c74aece0-b8ac-53bc-861f-ac28a419a345"