New Rule: Suspicious Lookerstudio link (#909)

Co-authored-by: ID Generator <[email protected]>

detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml

@@ -0,0 +1,39 @@
+name: "Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender"
+description: "This rule detects messages containing links to lookerstudio with a non standard lookerstudio template from a new and unsolicited sender."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(body.current_thread.text) < 800
+  and regex.icontains(body.current_thread.text,
+                      '(shared.{0,30}with you|View Document)'
+  )
+  and any(body.links, .href_url.domain.domain == "lookerstudio.google.com")
+  
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    and not profile.by_sender().solicited
+  )
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and (
+        any(distinct(headers.hops, .authentication_results.dmarc is not null),
+            strings.ilike(.authentication_results.dmarc, "*fail")
+        )
+      )
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Sender analysis"
+  - "URL analysis"
+id: "dbb50cb4-171f-532b-b820-906be09d03d6"