← Back to Explore
sublimemediumRule
Link: Google Drawings link from new sender
Detects messages containing Google Drawings links from previously unseen senders, which may indicate abuse of Google's drawing service for malicious content delivery.
Detection Query
type.inbound
// google drawings link
and any(body.current_thread.links,
.href_url.domain.domain == "docs.google.com"
and strings.istarts_with(.href_url.path, '/drawings')
and (
strings.icontains(.href_url.path, '/preview')
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
)
)
and profile.by_sender_email().prevalence == "new"
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Google Drawings link from new sender"
description: "Detects messages containing Google Drawings links from previously unseen senders, which may indicate abuse of Google's drawing service for malicious content delivery."
type: "rule"
severity: "medium"
source: |
type.inbound
// google drawings link
and any(body.current_thread.links,
.href_url.domain.domain == "docs.google.com"
and strings.istarts_with(.href_url.path, '/drawings')
and (
strings.icontains(.href_url.path, '/preview')
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
)
)
and profile.by_sender_email().prevalence == "new"
attack_types:
- "Credential Phishing"
- "BEC/Fraud"
tactics_and_techniques:
- "Social engineering"
detection_methods:
- "URL analysis"
- "Sender analysis"
id: "fb91c892-c511-53ad-bc46-58ef23db95fb"