Detection rules › Sublime MQL
Google Drive abuse: Credential phishing link
This rule detects legitimate Google Drive shares that link to files on Google Drive that host credential phishing content. The file is usually a PDF that impersonates a legitimate brand, with credential theft language, and a button or link to an external site that steals login credentials.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Free file host, Impersonation: Brand |
Event coverage
| Message attribute |
|---|
| body |
| body.current_thread |
| body.links (collection) |
| sender.email |
| type |
Rule body MQL
type.inbound
and sender.email.email in (
"drive-shares-dm-noreply@google.com",
"drive-shares-noreply@google.com"
)
// malicious observed shares don't include the google "Added you as an editor" phrase.
// allowing user edits to a malicous document could neuter the threat
and not strings.contains(body.current_thread.text, "added you as an editor")
and any(filter(body.links,
.href_url.domain.domain != "support.google.com"
and .display_text == "Open"
),
(
(
ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
)
and length(ml.logo_detect(ml.link_analysis(., mode="aggressive").screenshot
).brands
) > 0
)
or any(file.explode(ml.link_analysis(.).screenshot),
(
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
and (
length(ml.logo_detect(ml.link_analysis(..).screenshot).brands
) > 0
and ml.link_analysis(..).credphish.disposition == "phishing"
)
)
and not ml.link_analysis(..).effective_url.domain.domain == "accounts.google.com"
// standard Google Docs error
and not strings.contains(.scan.ocr.raw,
"encountered an error. Please try reloading this page"
)
)
)
Detection logic
Scope: inbound message.
This rule detects legitimate Google Drive shares that link to files on Google Drive that host credential phishing content. The file is usually a PDF that impersonates a legitimate brand, with credential theft language, and a button or link to an external site that steals login credentials.
- inbound message
- sender.email.email in ('drive-shares-dm-noreply@google.com', 'drive-shares-noreply@google.com')
not:
- body.current_thread.text contains 'added you as an editor'
any of
filter(body.links)where any holds:all of:
- ml.link_analysis(.).credphish.disposition is 'phishing'
- length(ml.logo_detect(ml.link_analysis(., mode='aggressive').screenshot).brands) > 0
any of
file.explode(...)where all hold:all of:
any of
ml.nlu_classifier(.scan.ocr.raw).intentswhere all hold:- .name is 'cred_theft'
- .confidence in ('medium', 'high')
all of:
- length(ml.logo_detect(ml.link_analysis(.).screenshot).brands) > 0
- ml.link_analysis(.).credphish.disposition is 'phishing'
not:
- ml.link_analysis(.).effective_url.domain.domain is 'accounts.google.com'
not:
- .scan.ocr.raw contains 'encountered an error. Please try reloading this page'
Inspects: body.current_thread.text, body.links, body.links[].display_text, body.links[].href_url.domain.domain, sender.email.email, type.inbound. Sensors: file.explode, ml.link_analysis, ml.logo_detect, ml.nlu_classifier, strings.contains.
Indicators matched (8)
| Field | Match | Value |
|---|---|---|
sender.email.email | member | drive-shares-dm-noreply@google.com |
sender.email.email | member | drive-shares-noreply@google.com |
strings.contains | substring | added you as an editor |
body.links[].display_text | equals | Open |
ml.nlu_classifier(file.explode(...)[].scan.ocr.raw).intents[].name | equals | cred_theft |
ml.nlu_classifier(file.explode(...)[].scan.ocr.raw).intents[].confidence | member | medium |
ml.nlu_classifier(file.explode(...)[].scan.ocr.raw).intents[].confidence | member | high |
strings.contains | substring | encountered an error. Please try reloading this page |