-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create abuse_google_drive_unsolicited_reply-to.yml by @zoomequipd #2185 Source SHA c5f26a6 Triggered by @zoomequipd
- Loading branch information
Sublime Rule Testing Bot
committed
Dec 4, 2024
1 parent
32587db
commit d3f9c95
Showing
1 changed file
with
59 additions
and
0 deletions.
There are no files selected for viewing
59 changes: 59 additions & 0 deletions
59
detection-rules/abuse_google_drive_unsolicited_reply-to.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| name: "Service Abuse: Google Drive Share From an Unsolicited Reply-To Address" | ||
| description: "Identifies messages appearing to come from Google Drive sharing notifications that contain a reply-to address not previously seen in organizational communications. This tactic exploits trust in legitimate Google services while attempting to establish unauthorized communication channels." | ||
| type: "rule" | ||
| severity: "medium" | ||
| source: | | ||
| type.inbound | ||
| and sender.email.email in ( | ||
| '[email protected]', | ||
| '[email protected]', | ||
| ) | ||
| and not any(headers.reply_to, .email.domain.domain in $org_domains) | ||
| // the message needs to have a reply-to address | ||
| and length(headers.reply_to) > 0 | ||
| // reply-to email address has never been sent an email by the org | ||
| and not ( | ||
| any(headers.reply_to, .email.email in $recipient_emails) | ||
| // if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains | ||
| or any(filter(headers.reply_to, | ||
| // filter the list to only emails that are not in free_email_providers | ||
| ( | ||
| .email.domain.domain not in $free_email_providers | ||
| or .email.domain.root_domain not in $free_email_providers | ||
| ) | ||
| ), | ||
| .email.domain.domain in $recipient_domains | ||
| ) | ||
| ) | ||
| // reply-to address has never sent an email to the org | ||
| and not ( | ||
| any(headers.reply_to, .email.email in $sender_emails) | ||
| // if the reply-to address is NOT in free_email_providers, check the domain in sender_domains | ||
| or any(filter(headers.reply_to, | ||
| // filter the list to only emails that are not in free_email_providers | ||
| ( | ||
| .email.domain.domain not in $free_email_providers | ||
| or .email.domain.domain not in $free_email_providers | ||
| ) | ||
| ), | ||
| .email.domain.root_domain in $sender_domains | ||
| ) | ||
| ) | ||
| tags: | ||
| - "Attack surface reduction" | ||
| attack_types: | ||
| - "BEC/Fraud" | ||
| - "Callback Phishing" | ||
| - "Credential Phishing" | ||
| tactics_and_techniques: | ||
| - "Free email provider" | ||
| - "Social engineering" | ||
| - "Free file host" | ||
| detection_methods: | ||
| - "Header analysis" | ||
| - "Sender analysis" | ||
| id: "4581ec0c-aed2-50ed-8e16-2c9ca1d350ff" | ||
| testing_pr: 2185 | ||
| testing_sha: c5f26a6cdbf2c7ec336a678f995d0df0245dd89f |