detection.wiki

Detection rules › Sublime MQL

Impersonation: Chrome Web Store policy

Severity
low
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects messages impersonating Chrome Web Store policy communications, including fake extension security alerts and policy acceptance requests. Messages using observed domains and specific HTML formatting patterns typical of this impersonation.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesImpersonation: Brand, Free email provider, Lookalike domain

Event coverage

Message attribute
body
body.current_thread
body.html
body.links (collection)
headers.auth_summary
sender
sender.email
subject
type

Rule body MQL

type.inbound
and sender.email.domain.domain != 'gmail.com'
and (
  // subject and sender
  sender.email.domain.root_domain in (
    "chromeforextension.com",
    "forextensions.com",
    "supportchromestore.com"
  )
  or (
    2 of (
      strings.icontains(sender.email.domain.root_domain, 'chrome'),
      strings.icontains(sender.email.domain.root_domain, 'support'),
      strings.icontains(sender.email.domain.root_domain, 'extension'),
      strings.icontains(sender.email.domain.root_domain, 'webstore')
    )
  )
  or strings.icontains(sender.email.local_part, 'chromewebstore')
  or strings.icontains(sender.display_name, "Webstore Extension")
  or strings.icontains(subject.subject, 'Chrome Web Store Policy')
  // body and html
  or strings.icontains(body.html.raw,
                       '<div style="background-color:rgb(65,132,243);padding:50px 20px 0px">'
  )
  or regex.icontains(body.current_thread.text,
                     'Item name: [^\s]+ security extension'
  )
  or strings.icontains(body.current_thread.text,
                       'Chrome Web Store Developer Support'
  )
  or strings.icontains(body.current_thread.text, 'Developer Program Policies')
  or strings.icontains(body.current_thread.text,
                       'Relevant section of the program policy:'
  )
  or strings.icontains(body.current_thread.text,
                       'Please accept our policies to continue publishing your products.'
  )

  // links
  or (
    length(distinct(body.links, .href_url.domain.root_domain)) < 10
    and any(body.links,
            .href_url.domain.root_domain in (
              "checkpolicy.site",
              "extensionpolicyprivacy.com",
              "extensionpolicy.net",
              "policyextension.info"
            )
            or .href_url.path == '/extension-policy-check'
            or .display_text == "Go To Policy"
    )
  )
)
// negate messages sent by Google support
and not (
  sender.email.domain.root_domain == 'google.com'
  and headers.auth_summary.dmarc.pass
)

Detection logic

Scope: inbound message.

Detects messages impersonating Chrome Web Store policy communications, including fake extension security alerts and policy acceptance requests. Messages using observed domains and specific HTML formatting patterns typical of this impersonation.

  1. inbound message
  2. sender.email.domain.domain is not 'gmail.com'
  3. any of:
    • sender.email.domain.root_domain in ('chromeforextension.com', 'forextensions.com', 'supportchromestore.com')
    • at least 2 of 4: sender.email.domain.root_domain contains any of 4 patterns
      • chrome
      • support
      • extension
      • webstore
    • sender.email.local_part contains 'chromewebstore'
    • sender.display_name contains 'Webstore Extension'
    • subject.subject contains 'Chrome Web Store Policy'
    • body.html.raw contains '<div style="background-color:rgb(65,132,243);padding:50px 20px 0px">'
    • body.current_thread.text matches 'Item name: [^\\s]+ security extension'
    • body.current_thread.text contains 'Chrome Web Store Developer Support'
    • body.current_thread.text contains 'Developer Program Policies'
    • body.current_thread.text contains 'Relevant section of the program policy:'
    • body.current_thread.text contains 'Please accept our policies to continue publishing your products.'
    • all of:
      • length(distinct(body.links, .href_url.domain.root_domain)) < 10
      • any of body.links where any holds:
        • .href_url.domain.root_domain in ('checkpolicy.site', 'extensionpolicyprivacy.com', 'extensionpolicy.net', 'policyextension.info')
        • .href_url.path is '/extension-policy-check'
        • .display_text is 'Go To Policy'
  4. not:
    • all of:
      • sender.email.domain.root_domain is 'google.com'
      • headers.auth_summary.dmarc.pass

Inspects: body.current_thread.text, body.html.raw, body.links, body.links[].display_text, body.links[].href_url.domain.root_domain, body.links[].href_url.path, headers.auth_summary.dmarc.pass, sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, sender.email.local_part, subject.subject, type.inbound. Sensors: regex.icontains, strings.icontains.

Indicators matched (23)

FieldMatchValue
sender.email.domain.root_domainmemberchromeforextension.com
sender.email.domain.root_domainmemberforextensions.com
sender.email.domain.root_domainmembersupportchromestore.com
strings.icontainssubstringchrome
strings.icontainssubstringsupport
strings.icontainssubstringextension
strings.icontainssubstringwebstore
strings.icontainssubstringchromewebstore
strings.icontainssubstringWebstore Extension
strings.icontainssubstringChrome Web Store Policy
strings.icontainssubstring<div style="background-color:rgb(65,132,243);padding:50px 20px 0px">
regex.icontainsregexItem name: [^\s]+ security extension
11 more
strings.icontainssubstringChrome Web Store Developer Support
strings.icontainssubstringDeveloper Program Policies
strings.icontainssubstringRelevant section of the program policy:
strings.icontainssubstringPlease accept our policies to continue publishing your products.
body.links[].href_url.domain.root_domainmembercheckpolicy.site
body.links[].href_url.domain.root_domainmemberextensionpolicyprivacy.com
body.links[].href_url.domain.root_domainmemberextensionpolicy.net
body.links[].href_url.domain.root_domainmemberpolicyextension.info
body.links[].href_url.pathequals/extension-policy-check
body.links[].display_textequalsGo To Policy
sender.email.domain.root_domainequalsgoogle.com