Skip to content

Commit

Permalink
Sync from PR#909
Browse files Browse the repository at this point in the history 
New Rule: Suspicious Lookerstudio link by @morriscode
#909
Source SHA fe8827b
Triggered by @morriscode
  • Loading branch information
Sublime Rule Testing Bot committed Nov 3, 2023
1 parent a162e30 commit 5319708
Showing 1 changed file with 28 additions and 0 deletions.
28 changes: 28 additions & 0 deletions detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
name: "Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender"
description: "This rule detects messages containing links to lookerstudio with a non standard lookerstudio template from a new and unsolicited sender. "
type: "rule"
severity: "medium"
source: |
type.inbound
and length(body.current_thread.text) < 800
and regex.icontains(body.current_thread.text,
'(shared.{0,30}with you|View Document)'
)
and any(body.links, .href_url.domain.domain == "lookerstudio.google.com")
and (
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Sender analysis"
- "URL analysis"
id: "dbb50cb4-171f-532b-b820-906be09d03d6"
testing_pr: 909
testing_sha: fe8827b2d60961d72d60d34efdf16e93f699bf33

0 comments on commit 5319708

Please sign in to comment.