From 53197086520b1a6ef05aec154e943c81b0c8dd53 Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Fri, 3 Nov 2023 15:33:29 +0000
Subject: [PATCH] Sync from PR#909

New Rule: Suspicious Lookerstudio link by @morriscode
https://github.com/sublime-security/sublime-rules/pull/909
Source SHA fe8827b2d60961d72d60d34efdf16e93f699bf33
Triggered by @morriscode
---
 ...us_lookerstudio_new_unsolicited_sender.yml | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml

diff --git a/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml b/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml
new file mode 100644
index 00000000000..6d38dd73492
--- /dev/null
+++ b/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml
@@ -0,0 +1,28 @@
+name: "Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender"
+description: "This rule detects messages containing links to lookerstudio with a non standard lookerstudio template from a new and unsolicited sender. "
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(body.current_thread.text) < 800
+  and regex.icontains(body.current_thread.text,
+                      '(shared.{0,30}with you|View Document)'
+  )
+  and any(body.links, .href_url.domain.domain == "lookerstudio.google.com")
+
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    and not profile.by_sender().solicited
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Sender analysis"
+  - "URL analysis"
+id: "dbb50cb4-171f-532b-b820-906be09d03d6"
+testing_pr: 909
+testing_sha: fe8827b2d60961d72d60d34efdf16e93f699bf33