EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Open Redirect: Google domain with /url path and suspicious indicators

This rule examines messages containing image attachments that utilize Google's open redirect (google[.]com/url...). To enhance accuracy and minimize false positives, the rule conducts additional assessments for suspicious indicators, as indicated in the comments.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027
defense-evasion

Detection Query

type.inbound
// All attachments are images or 0 attachments
and (
  (
    length(attachments) > 0
    and all(attachments, .file_type in $file_types_images)
  )
  or length(attachments) == 0
)
and sender.email.domain.root_domain not in $org_domains
// negate auth'ed google messages
and not (
  sender.email.domain.sld == "google"
  and sender.email.local_part in ("googlealerts-noreply", "comments-noreply")
  and headers.auth_summary.spf.pass
  and headers.auth_summary.dmarc.pass
)
// not a reply
and (
  length(headers.references) == 0
  or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
// With a Google Redirect
and any(body.links,
        (
          .href_url.domain.sld == "google"
          and .href_url.path == "/url"
          and regex.contains(.href_url.query_params, "hl=.{2}&q=http(s)?://")
        )
        or any(.href_url.rewrite.encoders, . == 'google_open_redirect')
)
and 2 of (
  // Not a google logo
  any(attachments,
      .file_type in $file_types_images
      and (
        any(ml.logo_detect(.).brands, not strings.starts_with(.name, "Google"))
        or any(ml.logo_detect(file.message_screenshot()).brands,
               not strings.starts_with(.name, "Google")
        )
      )
  ),
  // Body analysis - NLU - Credential theft
  (
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence in~ ("medium", "high")
    )
  ),
  // Image analysis - NLU - Credential theft language
  (
    any(attachments,
        .file_type in $file_types_images
        and any(file.explode(.),
                any(ml.nlu_classifier(.scan.ocr.raw).intents,
                    .name == "cred_theft"
                )
        )
    )
  ),
  // Content analysis - Body - Urgency
  (
    any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "urgency"
    )
  ),

  // White font is found in html raw
  (
    length(body.html.display_text) < 500
    and regex.icontains(body.html.raw,
                        '<div style="color: #fff(fff)?.[^<]+<\/div><\/div><\/body><\/html>$'
    )
  )

  // domains using .app matching this pattern observed abusing google's redirect
  or regex.icontains(sender.email.domain.domain,
                     '[a-z]{3,}\.\d{5,}[^\.]+\.app$'
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Open Redirect: Google domain with /url path and suspicious indicators"
description: |
  This rule examines messages containing image attachments that utilize Google's open redirect (google[.]com/url...). 
  To enhance accuracy and minimize false positives, the rule conducts additional assessments for suspicious indicators, as indicated in the comments.
type: "rule"
severity: "medium"
source: |
  type.inbound
  // All attachments are images or 0 attachments
  and (
    (
      length(attachments) > 0
      and all(attachments, .file_type in $file_types_images)
    )
    or length(attachments) == 0
  )
  and sender.email.domain.root_domain not in $org_domains
  // negate auth'ed google messages
  and not (
    sender.email.domain.sld == "google"
    and sender.email.local_part in ("googlealerts-noreply", "comments-noreply")
    and headers.auth_summary.spf.pass
    and headers.auth_summary.dmarc.pass
  )
  // not a reply
  and (
    length(headers.references) == 0
    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
  )
  // With a Google Redirect
  and any(body.links,
          (
            .href_url.domain.sld == "google"
            and .href_url.path == "/url"
            and regex.contains(.href_url.query_params, "hl=.{2}&q=http(s)?://")
          )
          or any(.href_url.rewrite.encoders, . == 'google_open_redirect')
  )
  and 2 of (
    // Not a google logo
    any(attachments,
        .file_type in $file_types_images
        and (
          any(ml.logo_detect(.).brands, not strings.starts_with(.name, "Google"))
          or any(ml.logo_detect(file.message_screenshot()).brands,
                 not strings.starts_with(.name, "Google")
          )
        )
    ),
    // Body analysis - NLU - Credential theft
    (
      any(ml.nlu_classifier(body.current_thread.text).intents,
          .name == "cred_theft" and .confidence in~ ("medium", "high")
      )
    ),
    // Image analysis - NLU - Credential theft language
    (
      any(attachments,
          .file_type in $file_types_images
          and any(file.explode(.),
                  any(ml.nlu_classifier(.scan.ocr.raw).intents,
                      .name == "cred_theft"
                  )
          )
      )
    ),
    // Content analysis - Body - Urgency
    (
      any(ml.nlu_classifier(body.current_thread.text).entities,
          .name == "urgency"
      )
    ),
  
    // White font is found in html raw
    (
      length(body.html.display_text) < 500
      and regex.icontains(body.html.raw,
                          '<div style="color: #fff(fff)?.[^<]+<\/div><\/div><\/body><\/html>$'
      )
    )
  
    // domains using .app matching this pattern observed abusing google's redirect
    or regex.icontains(sender.email.domain.domain,
                       '[a-z]{3,}\.\d{5,}[^\.]+\.app$'
    )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Open redirect"
detection_methods:
  - "Computer Vision"
  - "Content analysis"
  - "File analysis"
  - "Header analysis"
  - "Natural Language Understanding"
  - "Optical Character Recognition"
  - "Sender analysis"
  - "URL analysis"
  
id: "fc5adf74-6a39-5285-9737-3539a0542313"