Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create abuse_google_drive_unsolicited_reply-to.yml #2185

Merged
merged 2 commits into from
Dec 16, 2024
Merged

Create abuse_google_drive_unsolicited_reply-to.yml #2185

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
70956eb
Create abuse_google_drive_unsolicited_reply-to.yml
zoomequipd Dec 4, 2024
c5f26a6
Auto add rule ID
Dec 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 57 additions & 0 deletions detection-rules/abuse_google_drive_unsolicited_reply-to.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
name: "Service Abuse: Google Drive Share From an Unsolicited Reply-To Address"
description: "Identifies messages appearing to come from Google Drive sharing notifications that contain a reply-to address not previously seen in organizational communications. This tactic exploits trust in legitimate Google services while attempting to establish unauthorized communication channels."
type: "rule"
severity: "medium"
source: |
type.inbound
and sender.email.email in (
'[email protected]',
'[email protected]',
)
and not any(headers.reply_to, .email.domain.domain in $org_domains)

// the message needs to have a reply-to address
and length(headers.reply_to) > 0

// reply-to email address has never been sent an email by the org
and not (
any(headers.reply_to, .email.email in $recipient_emails)
// if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains
or any(filter(headers.reply_to,
// filter the list to only emails that are not in free_email_providers
(
.email.domain.domain not in $free_email_providers
or .email.domain.root_domain not in $free_email_providers
)
),
.email.domain.domain in $recipient_domains
)
)
// reply-to address has never sent an email to the org
and not (
any(headers.reply_to, .email.email in $sender_emails)
// if the reply-to address is NOT in free_email_providers, check the domain in sender_domains
or any(filter(headers.reply_to,
// filter the list to only emails that are not in free_email_providers
(
.email.domain.domain not in $free_email_providers
or .email.domain.domain not in $free_email_providers
)
),
.email.domain.root_domain in $sender_domains
)
)
tags:
- "Attack surface reduction"
attack_types:
- "BEC/Fraud"
- "Callback Phishing"
- "Credential Phishing"
tactics_and_techniques:
- "Free email provider"
- "Social engineering"
- "Free file host"
detection_methods:
- "Header analysis"
- "Sender analysis"
id: "4581ec0c-aed2-50ed-8e16-2c9ca1d350ff"