Brand impersonation: Google Meet with malicious link

name: "Brand impersonation: Google Meet with malicious link"
description: "Detects messages with 'Join with Google Meet' display text that redirects to domains other than meet.google.com."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(body.current_thread.links,
          .display_text == "Join with Google Meet"
          and not strings.contains(.href_url.domain.domain, "meet.google.com")
  )
  and (
    // finding the logo tag in the html
    any(html.xpath(body.html, '//img[@alt="[Optional Logo]"]').nodes,
        .raw is not null
    )
    // OR find the green button
    or any(html.xpath(body.html, '//a[contains(@style, "rgb(52,168,83)")]').nodes,
           .display_text == "Join with Google Meet"
    )
  )
  // finding the "Guests"/"Join by phone" tables NOT being present in the message is a good way to filter out the legit messages. 
  and length(html.xpath(body.html,
                        '//table/tbody/tr/td/h2[contains(@style, "color:rgb(60,64,67)")]'
             ).nodes
  ) == 0
  // we're filtering out some more "generic" table heading for google meets with this one
  and not any(distinct(map(html.xpath(body.html, '//table//h2').nodes,
                           .inner_text
                       )
              ),
              . in ("Meeting link", "Join by phone", "Guests")
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "URL analysis"
id: "d488d85a-fb02-5b40-a902-03ba0784ad35"