From dfebf62eab59878e2b90cf21611631468f0b801e Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Wed, 6 Dec 2023 16:59:29 -0500
Subject: [PATCH] Update google_drive_abuse_credential_phishing.yml (#1090)

Co-authored-by: Josh Kamdjou <josh@sublimesecurity.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
---
 detection-rules/google_drive_abuse_credential_phishing.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/detection-rules/google_drive_abuse_credential_phishing.yml b/detection-rules/google_drive_abuse_credential_phishing.yml
index a272cbf32b5..d41b2a0233c 100644
--- a/detection-rules/google_drive_abuse_credential_phishing.yml
+++ b/detection-rules/google_drive_abuse_credential_phishing.yml
@@ -26,8 +26,13 @@ source: |
                     )
                   )
                   and not beta.linkanalysis(..).effective_url.domain.domain == "accounts.google.com"
+                  // standard Google Docs error
+                  and not strings.contains(.scan.ocr.raw,
+                                           "encountered an error. Please try reloading this page"
+                  )
           )
   )
+
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques: