Detection rules › Sublime MQL
Brand impersonation: Google Drive fake file share
This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing, Malware/Ransomware |
| Tactics and techniques | Impersonation: Brand, Social engineering |
Event coverage
Rule body MQL
type.inbound
// Google Drive body content looks like this
and (
(
(
any([body.current_thread.text, body.plain.raw],
strings.ilike(.,
"*shared a file with you*",
"*shared with you*",
"*invited you to review*",
"*received a document*",
"*shared a document*",
"*shared a spreadsheet*",
"*shared this document*",
"*shared an item*",
"*received this email because you*",
"*shared a*with you*",
"*automated *mail from google*drive*",
"*added as an editor*",
"*invited you to edit*"
)
)
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
or strings.ilike(beta.ocr(file.message_screenshot()).text,
"*shared a file with you*",
"*shared with you*",
"*invited you to review*",
"*received a document*",
"*shared a document*",
"*shared a spreadsheet*",
"*shared this document*",
"*shared an item*",
"*received this email because you*",
"*shared a*with you*",
"*automated *mail from google*drive*",
"*added as an editor*",
"*invited you to edit*"
)
// suspicious subjects
or (
(
regex.icontains(subject.subject, 'shared \".*\" with you')
and sender.email.domain.root_domain != "dropbox.com"
)
// with Google Drive terminology in body content
and any([body.current_thread.text, body.plain.raw],
strings.ilike(.,
"*Google Drive*",
"*Google Doc*",
"*Google Sheet*",
"*Google Slide*"
)
)
)
)
and (
strings.ilike(subject.subject,
"*shared*",
"*updated*",
"*sign*",
"*review*"
)
or any(recipients.to,
strings.icontains(subject.subject, .email.domain.sld)
)
or strings.ilike(subject.subject, "*Docs*", "*Sheets*", "*Slides*")
or any(body.links,
strings.icontains(.display_text, "open document")
or strings.iends_with(.display_text, ".pdf")
)
or strings.ilike(sender.display_name, "*Google Drive*")
or subject.subject is null
or subject.subject == ""
or regex.icontains(body.current_thread.text, '^g.o.o.g.l.e')
)
)
or any([
"Contigo", // Spanish
"Avec vous", // French
"Mit Ihnen", // German
"Con te", // Italian
"Com você", // Portuguese
"Met u", // Dutch
"С вами", // Russian
"与你", // Chinese (Simplified)
"與您", // Chinese (Traditional)
"あなたと", // Japanese
"당신과", // Korean
"معك", // Arabic
"آپ کے ساتھ", // Urdu
"আপনার সাথে", // Bengali
"आपके साथ", // Hindi
"Sizinle", // Turkish // Azerbaijani
"Med dig", // Swedish
"Z tobą", // Polish
"З вами", // Ukrainian
"Önnel", // Hungarian
"Μαζί σας", // Greek
"איתך", // Hebrew
"กับคุณ", // Thai
"Với bạn", // Vietnamese
"Dengan Anda", // Indonesian // Malay
"Nawe", // Swahili
"Cu dumneavoastră", // Romanian
"S vámi", // Czech
"Med deg", // Norwegian
"S vami", // Slovak
"Med dig", // Danish
"Amb vostè", // Catalan
"Teiega", // Estonian
"S vama", // Serbian
],
strings.icontains(subject.subject, .)
)
)
// contains logic that impersonates Google
and (
any(ml.logo_detect(file.message_screenshot()).brands,
strings.starts_with(.name, "Google")
)
// Google Drive share box formatting
or strings.icontains(body.html.raw,
'<table style="width:100%; border:1px solid #dadce0; border-radius:6px; border-spacing:0; border-collapse:separate; table-layout:fixed" role="presentation">'
)
or any(attachments,
.file_type in $file_types_images
and (
any(ml.logo_detect(.).brands, strings.starts_with(.name, "Google"))
or strings.icontains(beta.ocr(.).text,
strings.concat("You have received this email because ",
sender.email.email,
" shared a document with you"
)
)
or strings.icontains(beta.ocr(.).text,
strings.concat("You have received this email because ",
sender.email.email,
" received a file or folder"
)
)
or any(recipients.to,
strings.icontains(beta.ocr(..).text,
strings.concat("You have received this email because ",
.email.email,
" shared a document with you"
)
)
)
or any(recipients.to,
strings.icontains(beta.ocr(..).text,
strings.concat("You have received this email because ",
.email.email,
" received a file or folder"
)
)
)
or strings.icontains(beta.ocr(.).text,
strings.concat(sender.display_name,
" (",
sender.email.email,
") ",
"shared"
)
)
)
)
or strings.icontains(body.current_thread.text,
strings.concat("You have received this email because ",
sender.email.email,
" shared a document with you"
)
)
or strings.icontains(body.current_thread.text,
strings.concat("You have received this email because ",
sender.email.email,
" received a file or folder"
)
)
or any(recipients.to,
strings.icontains(body.current_thread.text,
strings.concat("You have received this email because ",
.email.email,
" shared a document with you"
)
)
)
or any(recipients.to,
strings.icontains(body.current_thread.text,
strings.concat("You have received this email because ",
.email.email,
" received a file or folder"
)
)
)
or strings.icontains(body.current_thread.text,
strings.concat(sender.display_name,
" (",
sender.email.email,
") ",
"shared"
)
)
// Google address from footer
or 2 of (
strings.icontains(body.current_thread.text, 'Google LLC'),
strings.icontains(body.current_thread.text, '1600 Amphitheatre Parkway'),
strings.icontains(body.current_thread.text, 'Mountain View, CA 94043'),
)
)
and not (
// Google Sites has been observed abused
all(body.links,
.href_url.domain.root_domain in ("google.com")
// allow for matches against sites.google.com, which has been observed being abused
and .href_url.domain.domain != "sites.google.com"
)
)
and sender.email.domain.root_domain not in $org_domains
and sender.email.domain.root_domain not in ("google.com")
and not (
all(headers.references, strings.ends_with(., '@docs-share.google.com'))
and headers.return_path.domain.domain == "doclist.bounces.google.com"
)
// negate first threads that are a legitimate Google Drive share
and not (
length(body.previous_threads) != 0
and length(body.previous_threads[length(body.previous_threads) - 1].links) != 0
and all(body.previous_threads[length(body.previous_threads) - 1].links,
.href_url.domain.root_domain == "google.com"
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
profile.by_sender().solicited == false
or profile.by_sender_email().prevalence == "new"
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Detection logic
Scope: inbound message.
This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
- inbound message
any of:
all of:
any of:
any of
[body.current_thread.text, body.plain.raw]where:. matches any of 13 patterns
*shared a file with you**shared with you**invited you to review**received a document**shared a document**shared a spreadsheet**shared this document**shared an item**received this email because you**shared a*with you**automated *mail from google*drive**added as an editor**invited you to edit*
beta.ocr(file.message_screenshot()).text matches any of 13 patterns
*shared a file with you**shared with you**invited you to review**received a document**shared a document**shared a spreadsheet**shared this document**shared an item**received this email because you**shared a*with you**automated *mail from google*drive**added as an editor**invited you to edit*
all of:
all of:
- subject.subject matches 'shared \\".*\\" with you'
- sender.email.domain.root_domain is not 'dropbox.com'
any of
[body.current_thread.text, body.plain.raw]where:. matches any of 4 patterns
*Google Drive**Google Doc**Google Sheet**Google Slide*
any of:
subject.subject matches any of 4 patterns
*shared**updated**sign**review*
any of
recipients.towhere:- strings.icontains(subject.subject)
subject.subject matches any of 3 patterns
*Docs**Sheets**Slides*
any of
body.linkswhere any holds:- .display_text contains 'open document'
- .display_text ends with '.pdf'
- sender.display_name matches '*Google Drive*'
- subject.subject is missing
- subject.subject is ''
- body.current_thread.text matches '^g.o.o.g.l.e'
any of
['Contigo', 'Avec vous', 'Mit Ihnen', 'Con te', 'Com você', 'Met u', 'С вами', '与你', '與您', 'あなたと', '당신과', 'معك', 'آپ کے ساتھ', 'আপনার সাথে', 'आपके साथ', 'Sizinle', 'Med dig', 'Z tobą', 'З вами', 'Önnel', 'Μαζί σας', 'איתך', 'กับคุณ', 'Với bạn', 'Dengan Anda', 'Nawe', 'Cu dumneavoastră', 'S vámi', 'Med deg', 'S vami', 'Med dig', 'Amb vostè', 'Teiega', 'S vama']where:- strings.icontains(subject.subject)
any of:
any of
ml.logo_detect(file.message_screenshot()).brandswhere:- .name starts with 'Google'
- body.html.raw contains '<table style="width:100%; border:1px solid #dadce0; border-radius:6px; border-spacing:0; border-collapse:separate; table-layout:fixed" role="presentation">'
any of
attachmentswhere all hold:- .file_type in $file_types_images
any of:
any of
ml.logo_detect(.).brandswhere:- .name starts with 'Google'
- strings.icontains(beta.ocr(.).text)
- strings.icontains(beta.ocr(.).text)
any of
recipients.towhere:- strings.icontains(beta.ocr(.).text)
any of
recipients.towhere:- strings.icontains(beta.ocr(.).text)
- strings.icontains(beta.ocr(.).text)
- strings.icontains(body.current_thread.text)
- strings.icontains(body.current_thread.text)
any of
recipients.towhere:- strings.icontains(body.current_thread.text)
any of
recipients.towhere:- strings.icontains(body.current_thread.text)
- strings.icontains(body.current_thread.text)
at least 2 of:
- body.current_thread.text contains 'Google LLC'
- body.current_thread.text contains '1600 Amphitheatre Parkway'
- body.current_thread.text contains 'Mountain View, CA 94043'
not:
all of
body.linkswhere all hold:- .href_url.domain.root_domain in ('google.com')
- .href_url.domain.domain is not 'sites.google.com'
- sender.email.domain.root_domain not in $org_domains
- sender.email.domain.root_domain not in ('google.com')
not:
all of:
all of
headers.referenceswhere:- . ends with '@docs-share.google.com'
- headers.return_path.domain.domain is 'doclist.bounces.google.com'
not:
all of:
- length(body.previous_threads) is not 0
- length(body.previous_threads[].links) is not 0
all of
body.previous_threads[].linkswhere:- .href_url.domain.root_domain is 'google.com'
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
any of:
- profile.by_sender().solicited is False
- profile.by_sender_email().prevalence is 'new'
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
not:
- profile.by_sender().any_messages_benign
Inspects: attachments[].file_type, body.current_thread.text, body.html.raw, body.links, body.links[].display_text, body.links[].href_url.domain.domain, body.links[].href_url.domain.root_domain, body.plain.raw, body.previous_threads, body.previous_threads[].links, body.previous_threads[].links[].href_url.domain.root_domain, headers.auth_summary.dmarc.pass, headers.references, headers.return_path.domain.domain, recipients.to, recipients.to[].email.domain.sld, recipients.to[].email.email, sender.display_name, sender.email.domain.root_domain, sender.email.email, subject.subject, type.inbound. Sensors: beta.ocr, file.message_screenshot, ml.logo_detect, profile.by_sender, profile.by_sender_email, regex.icontains, strings.concat, strings.ends_with, strings.icontains, strings.iends_with, strings.ilike, strings.starts_with. Reference lists: $file_types_images, $high_trust_sender_root_domains, $org_domains.
Indicators matched (39)
| Field | Match | Value |
|---|---|---|
strings.ilike | substring | *shared a file with you* |
strings.ilike | substring | *shared with you* |
strings.ilike | substring | *invited you to review* |
strings.ilike | substring | *received a document* |
strings.ilike | substring | *shared a document* |
strings.ilike | substring | *shared a spreadsheet* |
strings.ilike | substring | *shared this document* |
strings.ilike | substring | *shared an item* |
strings.ilike | substring | *received this email because you* |
strings.ilike | substring | *shared a*with you* |
strings.ilike | substring | *automated *mail from google*drive* |
strings.ilike | substring | *added as an editor* |
27 more
strings.ilike | substring | *invited you to edit* |
regex.icontains | regex | shared \".*\" with you |
strings.ilike | substring | *Google Drive* |
strings.ilike | substring | *Google Doc* |
strings.ilike | substring | *Google Sheet* |
strings.ilike | substring | *Google Slide* |
strings.ilike | substring | *shared* |
strings.ilike | substring | *updated* |
strings.ilike | substring | *sign* |
strings.ilike | substring | *review* |
strings.ilike | substring | *Docs* |
strings.ilike | substring | *Sheets* |
strings.ilike | substring | *Slides* |
strings.icontains | substring | open document |
strings.iends_with | suffix | .pdf |
subject.subject | equals | |
regex.icontains | regex | ^g.o.o.g.l.e |
strings.starts_with | prefix | Google |
strings.icontains | substring | <table style="width:100%; border:1px solid #dadce0; border-radius:6px; border-spacing:0; border-collapse:separate; table-layout:fixed" role="presentation"> |
strings.icontains | substring | Google LLC |
strings.icontains | substring | 1600 Amphitheatre Parkway |
strings.icontains | substring | Mountain View, CA 94043 |
body.links[].href_url.domain.root_domain | member | google.com |
sender.email.domain.root_domain | member | google.com |
strings.ends_with | suffix | @docs-share.google.com |
headers.return_path.domain.domain | equals | doclist.bounces.google.com |
body.previous_threads[].links[].href_url.domain.root_domain | equals | google.com |