detection.wiki

Detection rules › Sublime MQL

Google Notification alert link from non-Google sender

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

This rule detects messages that leverage a link to notifications.google.com not from google and from an untrusted sender. Commonly abused in salesforce phishing campaigns.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesSocial engineering

Event coverage

Message attribute
body
body.links (collection)
headers.auth_summary
headers.return_path
sender.email
subject
type

Rule body MQL

type.inbound
// ignore messages from google[.]com unlesss they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in ("google.com", "youtube.com", "nest.com")
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in (
    "google.com",
    "youtube.com",
    "nest.com"
  )
)
and any(body.links,
        .href_url.domain.domain == "notifications.google.com"
        and strings.starts_with(.href_url.path, "/g/p/")
)
and (
  any($suspicious_subjects, strings.icontains(subject.subject, .))
  or strings.ilike(subject.subject, '*verification*')
)
and (
  (
    profile.by_sender().prevalence in ("new", "outlier")
    and not profile.by_sender().solicited
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
  // we've observed salesforce abuse
  or sender.email.domain.root_domain == "salesforce.com"
  or headers.return_path.domain.root_domain == "salesforce.com"
)
and not profile.by_sender().any_messages_benign

Detection logic

Scope: inbound message.

This rule detects messages that leverage a link to notifications.google.com not from google and from an untrusted sender. Commonly abused in salesforce phishing campaigns.

  1. inbound message
  2. any of:
    • all of:
      • sender.email.domain.root_domain in ('google.com', 'youtube.com', 'nest.com')
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in ('google.com', 'youtube.com', 'nest.com')
  3. any of body.links where all hold:
    • .href_url.domain.domain is 'notifications.google.com'
    • .href_url.path starts with '/g/p/'
  4. any of:
    • any of $suspicious_subjects where:
      • strings.icontains(subject.subject)
    • subject.subject matches '*verification*'
  5. any of:
    • all of:
      • profile.by_sender().prevalence in ('new', 'outlier')
      • not:
        • profile.by_sender().solicited
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_messages_benign
    • sender.email.domain.root_domain is 'salesforce.com'
    • headers.return_path.domain.root_domain is 'salesforce.com'
  6. not:
    • profile.by_sender().any_messages_benign

Inspects: body.links, body.links[].href_url.domain.domain, body.links[].href_url.path, headers.auth_summary.dmarc.pass, headers.return_path.domain.root_domain, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: profile.by_sender, strings.icontains, strings.ilike, strings.starts_with. Reference lists: $suspicious_subjects.

Indicators matched (8)

FieldMatchValue
sender.email.domain.root_domainmembergoogle.com
sender.email.domain.root_domainmemberyoutube.com
sender.email.domain.root_domainmembernest.com
body.links[].href_url.domain.domainequalsnotifications.google.com
strings.starts_withprefix/g/p/
strings.ilikesubstring*verification*
sender.email.domain.root_domainequalssalesforce.com
headers.return_path.domain.root_domainequalssalesforce.com