Detection rules › Sublime MQL
Brand impersonation: Google fake sign-in warning
Detects messages with image attachments containing fake Google sign-in warnings with no links leading to Google sites.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand, Social engineering |
Event coverage
| Message attribute |
|---|
| attachments (collection) |
| body |
| body.links (collection) |
| sender.email |
| type |
Rule body MQL
type.inbound
and length(body.links) > 0
// Google Logo in Attachment
and any(attachments,
.file_type in $file_types_images
and any(ml.logo_detect(.).brands, .name in ("Google"))
)
and any(attachments,
.file_type in $file_types_images
and (
any(file.explode(.),
// Fake activity warning
3 of (
strings.ilike(.scan.ocr.raw, "*new sign-in*"),
strings.ilike(.scan.ocr.raw, "*google account*"),
strings.ilike(.scan.ocr.raw, "*secure your account*"),
strings.ilike(.scan.ocr.raw, "*check activity*"),
)
)
)
)
// legitimate sign-in warnings contains links to google, gmail or googleapis.com
and (
not all(body.links,
.href_url.domain.root_domain in (
"google.com",
"gmail.com",
"googleapis.com"
)
or .href_url.domain.root_domain is null
)
)
and sender.email.domain.root_domain not in $org_domains
and sender.email.domain.root_domain != "google.com"
Detection logic
Scope: inbound message.
Detects messages with image attachments containing fake Google sign-in warnings with no links leading to Google sites.
- inbound message
- length(body.links) > 0
any of
attachmentswhere all hold:- .file_type in $file_types_images
any of
ml.logo_detect(.).brandswhere:- .name in ('Google')
any of
attachmentswhere all hold:- .file_type in $file_types_images
any of
file.explode(.)where:at least 3 of 4: .scan.ocr.raw matches any of 4 patterns
*new sign-in**google account**secure your account**check activity*
not:
all of
body.linkswhere any holds:- .href_url.domain.root_domain in ('google.com', 'gmail.com', 'googleapis.com')
- .href_url.domain.root_domain is missing
- sender.email.domain.root_domain not in $org_domains
- sender.email.domain.root_domain is not 'google.com'
Inspects: attachments[].file_type, body.links, body.links[].href_url.domain.root_domain, sender.email.domain.root_domain, type.inbound. Sensors: file.explode, ml.logo_detect, strings.ilike. Reference lists: $file_types_images, $org_domains.
Indicators matched (8)
| Field | Match | Value |
|---|---|---|
ml.logo_detect(attachments[]).brands[].name | member | Google |
strings.ilike | substring | *new sign-in* |
strings.ilike | substring | *google account* |
strings.ilike | substring | *secure your account* |
strings.ilike | substring | *check activity* |
body.links[].href_url.domain.root_domain | member | google.com |
body.links[].href_url.domain.root_domain | member | gmail.com |
body.links[].href_url.domain.root_domain | member | googleapis.com |