Detection rules › Sublime MQL
Google Drive direct download link from unsolicited sender
This rule detects Google Drive links that use the direct download URL pattern which automatically downloads files when clicked. This pattern is frequently used by threat actors to distribute malware. The links are formatted like: drive.google.com/uc?id=FILE_ID&export=download These links skip the preview page and immediately download the file to the user's device, which can be dangerous for recipients. Threat actors exploit this pattern to directly distribute malware while appearing to share legitimate content from a trusted service.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Malware/Ransomware, Credential Phishing |
| Tactics and techniques | Evasion, Social engineering, Free file host |
Event coverage
| Message attribute |
|---|
| body |
| body.links (collection) |
| headers.auth_summary |
| sender.email |
| type |
Rule body MQL
type.inbound
and 0 < length(body.links) < 10
and any(body.links,
(
// Match Google Drive direct download links
strings.icontains(.href_url.url, "drive.google.com/uc")
and (
strings.icontains(.href_url.url, "export=download")
or strings.icontains(.href_url.query_params, "export=download")
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
// Only trigger on unsolicited senders
not profile.by_sender().solicited
or (
// Or senders with suspicious history
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Detection logic
Scope: inbound message.
This rule detects Google Drive links that use the direct download URL pattern which automatically downloads files when clicked. This pattern is frequently used by threat actors to distribute malware. The links are formatted like: drive.google.com/uc?id=FILE_ID&export=download These links skip the preview page and immediately download the file to the user's device, which can be dangerous for recipients. Threat actors exploit this pattern to directly distribute malware while appearing to share legitimate content from a trusted service.
- inbound message
all of:
- length(body.links) > 0
- length(body.links) < 10
any of
body.linkswhere all hold:- .href_url.url contains 'drive.google.com/uc'
any of:
- .href_url.url contains 'export=download'
- .href_url.query_params contains 'export=download'
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
any of:
not:
- profile.by_sender().solicited
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
Inspects: body.links, body.links[].href_url.query_params, body.links[].href_url.url, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, type.inbound. Sensors: profile.by_sender, strings.icontains. Reference lists: $high_trust_sender_root_domains.
Indicators matched (2)
| Field | Match | Value |
|---|---|---|
strings.icontains | substring | drive.google.com/uc |
strings.icontains | substring | export=download |