sublimemediumRule

Link to Google Apps Script macro (unsolicited)

Message contains a Google Apps Script macro link. App Scripts can run arbitrary code, including redirecting the user to a malicious web page.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1204.002 T1486

initial-access

Detection Query

type.inbound
and any(body.links,
        .href_url.domain.domain == "script.google.com"
        and strings.ilike(.href_url.path, "/macros*")
)
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

References

https://twitter.com/bunnymaid/status/1415478829162762240

Raw Content

name: "Link to Google Apps Script macro (unsolicited)"
description: |
  Message contains a Google Apps Script macro link. App Scripts can run 
  arbitrary code, including redirecting the user to a malicious web page.
references:
  - "https://twitter.com/bunnymaid/status/1415478829162762240"
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(body.links,
          .href_url.domain.domain == "script.google.com"
          and strings.ilike(.href_url.path, "/macros*")
  )
  and (
    profile.by_sender().prevalence in ("new", "outlier")
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
attack_types:
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Open redirect"
  - "Social engineering"
detection_methods:
  - "Sender analysis"
  - "URL analysis"
id: "d10146df-547f-5a89-8690-477283e3b1f7"