From e9165f4876d0b1f629655b4d0533a4571b42e254 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Fri, 22 Nov 2024 15:35:33 -0600 Subject: [PATCH 1/5] Create spam_google_group_invite.yml --- detection-rules/spam_google_group_invite.yml | 50 ++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 detection-rules/spam_google_group_invite.yml diff --git a/detection-rules/spam_google_group_invite.yml b/detection-rules/spam_google_group_invite.yml new file mode 100644 index 00000000000..98cfb20e3a5 --- /dev/null +++ b/detection-rules/spam_google_group_invite.yml @@ -0,0 +1,50 @@ +name: "Spam: Google Groups Invitations" +description: "Detects suspicious Google Groups invitations containing inappropriate content or suspicious patterns. The rule looks for invites from non-organizational domains that contain random alphanumeric strings, explicit keywords, or suspicious call-to-action phrases in the group names or descriptions." +type: "rule" +severity: "low" +source: | + type.inbound + // + // Warning: This rule contains sexually explict keywords + // + and sender.email.email == "noreply@groups.google.com" + and ( + strings.istarts_with(subject.subject, 'Invitation to join ') + or strings.istarts_with(subject.subject, 'You have been added to ') + ) + // the invite is not from an $org_domain user + and not any($org_domains, + strings.icontains(body.current_thread.text, + strings.concat('@', + ., + ' invited you to join the ' + ) + ) + or strings.icontains(body.current_thread.text, + strings.concat('@', ., ' added you to the ') + ) + ) + and ( + // the group name contains 7 char sets at the start and end and must contain a number + regex.icontains(subject.subject, + '(?:added to|to join) [A-Z0-9]{6,7} .*(?:[[:^ascii:]]|[[:^alpha:]]) [A-Z0-9]{6,7}$' + ) + // calls to action in the group name + or regex.icontains(subject.subject, + '(?:added to|to join) .*(join|(?:click|go|tap) here)' + ) + // it contains an emoji in the group name + or regex.icontains(subject.subject, + '(?:added to|to join) .*[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]' + ) + or + regex.icontains(body.current_thread.text, '(?:about this group|message from).*(?:sex|horny|cock|fuck|ass|pussy|dick|tits|cum).*https?://') + ) + +attack_types: + - "Spam" +tactics_and_techniques: + - "Free email provider" +detection_methods: + - "Content analysis" + - "Sender analysis" From 88db12fe0e212220660632ddd9078eaafe7d091c Mon Sep 17 00:00:00 2001 From: ID Generator Date: Fri, 22 Nov 2024 21:37:38 +0000 Subject: [PATCH 2/5] Auto add rule ID --- detection-rules/spam_google_group_invite.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/spam_google_group_invite.yml b/detection-rules/spam_google_group_invite.yml index 98cfb20e3a5..11fa9273da3 100644 --- a/detection-rules/spam_google_group_invite.yml +++ b/detection-rules/spam_google_group_invite.yml @@ -48,3 +48,4 @@ tactics_and_techniques: detection_methods: - "Content analysis" - "Sender analysis" +id: "4e0bec29-be9c-526f-ad56-824b4d87f55d" From 2d8a25c089619bd71a85d4e5d8e63b329fdda6b3 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Fri, 22 Nov 2024 16:25:36 -0600 Subject: [PATCH 3/5] add tactic --- detection-rules/spam_google_group_invite.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/spam_google_group_invite.yml b/detection-rules/spam_google_group_invite.yml index 11fa9273da3..558e1039672 100644 --- a/detection-rules/spam_google_group_invite.yml +++ b/detection-rules/spam_google_group_invite.yml @@ -45,6 +45,7 @@ attack_types: - "Spam" tactics_and_techniques: - "Free email provider" + - "Social engineering" detection_methods: - "Content analysis" - "Sender analysis" From 32b79d1bff40ac10601b21d8ad231db414c34e58 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Wed, 4 Dec 2024 15:46:32 -0600 Subject: [PATCH 4/5] Update spam_google_group_invite.yml --- detection-rules/spam_google_group_invite.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/detection-rules/spam_google_group_invite.yml b/detection-rules/spam_google_group_invite.yml index 558e1039672..22b0c2065d6 100644 --- a/detection-rules/spam_google_group_invite.yml +++ b/detection-rules/spam_google_group_invite.yml @@ -11,6 +11,9 @@ source: | and ( strings.istarts_with(subject.subject, 'Invitation to join ') or strings.istarts_with(subject.subject, 'You have been added to ') + // the group name contains sexually explict keywords + or + regex.icontains(subject.subject, '(?:Invitation to join|You have been added to) .*(?:sex|horny|cock|fuck|ass|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce)') ) // the invite is not from an $org_domain user and not any($org_domains, @@ -37,10 +40,13 @@ source: | or regex.icontains(subject.subject, '(?:added to|to join) .*[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]' ) + // the description of the group contains sexually explict keywords or - regex.icontains(body.current_thread.text, '(?:about this group|message from).*(?:sex|horny|cock|fuck|ass|pussy|dick|tits|cum).*https?://') + regex.icontains(body.current_thread.text, '(?:about this group|message from).*(?:(sex|horny|cock|fuck|ass|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce)).*https?://') + // the invitor is an email domain which contains 3 labels + or + regex.icontains(body.current_thread.text, '\n[^\@]+@(?:[a-zA-Z0-9-]{1,255}\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the)') ) - attack_types: - "Spam" tactics_and_techniques: From 191a2ff1e7bb3fe6efe4a8fb32ea5207b1682aca Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Thu, 26 Dec 2024 09:36:50 -0600 Subject: [PATCH 5/5] Update spam_google_group_invite.yml --- detection-rules/spam_google_group_invite.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/detection-rules/spam_google_group_invite.yml b/detection-rules/spam_google_group_invite.yml index 22b0c2065d6..ca9380e7f99 100644 --- a/detection-rules/spam_google_group_invite.yml +++ b/detection-rules/spam_google_group_invite.yml @@ -13,7 +13,7 @@ source: | or strings.istarts_with(subject.subject, 'You have been added to ') // the group name contains sexually explict keywords or - regex.icontains(subject.subject, '(?:Invitation to join|You have been added to) .*(?:sex|horny|cock|fuck|ass|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce)') + regex.icontains(subject.subject, '(?:Invitation to join|You have been added to) .*(?:sex|horny|cock|fuck|\bass\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce)') ) // the invite is not from an $org_domain user and not any($org_domains, @@ -30,7 +30,7 @@ source: | and ( // the group name contains 7 char sets at the start and end and must contain a number regex.icontains(subject.subject, - '(?:added to|to join) [A-Z0-9]{6,7} .*(?:[[:^ascii:]]|[[:^alpha:]]) [A-Z0-9]{6,7}$' + '(?:added to|to join) [A-Z0-9]{5,7} .*(?:[[:^ascii:]]|[[:^alpha:]]) [A-Z0-9]{5,7}$' ) // calls to action in the group name or regex.icontains(subject.subject, @@ -42,10 +42,13 @@ source: | ) // the description of the group contains sexually explict keywords or - regex.icontains(body.current_thread.text, '(?:about this group|message from).*(?:(sex|horny|cock|fuck|ass|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce)).*https?://') + regex.icontains(body.current_thread.text, '(?:about this group|message from).*(?:(sex|horny|cock|fuck|\bass\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce)).*https?://') // the invitor is an email domain which contains 3 labels - or - regex.icontains(body.current_thread.text, '\n[^\@]+@(?:[a-zA-Z0-9-]{1,255}\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the)') + or + (regex.icontains(body.current_thread.text, '\n[^\@]+@(?:[a-zA-Z0-9-]{1,255}\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the)') + // where the group name contains "lists." + and not regex.icontains(body.current_thread.text, '\n[^\@]+@(?:[a-zA-Z0-9-]{1,255}\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the) [^\@]+\@lists\.') + ) ) attack_types: - "Spam"