detection.wiki

Detection rules › Sublime MQL

Google share notification with suspicious comments

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

This detection rule matches on messages which contain suspicious language within the comments of a Google share notification. Suspicious content within the comments section of the notification is deemed as email abbreviations such as FW:, FWD:, and RE: or by containing words that reference a file share.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesImpersonation: VIP, Free file host

Event coverage

Message attribute
body.html
headers (collection)
headers.auth_summary
headers.reply_to (collection)
sender
sender.email
type

Rule body MQL

type.inbound
and 
// message is from google actual
sender.email.domain.domain == 'google.com'
and (
  sender.email.local_part == "drive-shares-noreply"
  or sender.email.local_part == "drive-shares-dm-noreply"
)
// contains a comment
and strings.icontains(body.html.raw,
                      '<div style="margin-top:24px; color:#5F6368">'
)
// those comments contain what appears to be an email
and (
  regex.icontains(body.html.raw,
                  '</div>\s*<div style="margin-top:24px; color:#5F6368">\s*(?:RE|FWD?)\s*:'
  )
  // the comment contains wording that relates to sharing a file
  // the list before being sent through regexp-assemble
  //   "request to view", "shared a file",   "sent you a file",
  //   "file access request", "view shared document",
  //   "pending file request", "document shared", "view a file",
  //   "file sent to you", "invited to view", "file access invite",
  //   "click to view", "open shared file", "drive file request"
  or regex.icontains(body.html.raw,
                     '</div>\s*<div style="margin-top:24px; color:#5F6368">[^<]*(?:<[^\/][^<]*)*(?:file (?:access (?:request|invite)|sent to you)|(?:s(?:ent you|hared) a|open shared) file|d(?:rive file request|ocument shared)|(?:invited|request|click) to view|view (?:shared document|a file)|pending file request)[^<]*(?:<[^\/][^<]*)*</div>\s*</td>'
  )
)
// not where the sender display name of the message is within org_display_names
and not (
  // the message is from google actual
  sender.email.email in (
    'comments-noreply@docs.google.com',
    'drive-shares-dm-noreply@google.com',
    'drive-shares-noreply@google.com',
    'calendar-notification@google.com'
  )
  and headers.auth_summary.dmarc.pass
  // but the sender display name is within org_display_names
  and (
    any(regex.iextract(sender.display_name,
                       '^(?P<sender_display_name>.*)\((?:via )?Google'
        ),
        .named_groups["sender_display_name"] in~ $org_display_names
    )
    or (
      length(headers.reply_to) == 1
      and all(headers.reply_to, .email.domain.domain in $org_domains)
    )
  )
)

Detection logic

Scope: inbound message.

This detection rule matches on messages which contain suspicious language within the comments of a Google share notification. Suspicious content within the comments section of the notification is deemed as email abbreviations such as FW:, FWD:, and RE: or by containing words that reference a file share.

  1. inbound message
  2. sender.email.domain.domain is 'google.com'
  3. any of:
    • sender.email.local_part is 'drive-shares-noreply'
    • sender.email.local_part is 'drive-shares-dm-noreply'
  4. body.html.raw contains '<div style="margin-top:24px; color:#5F6368">'
  5. any of:
    • body.html.raw matches '</div>\\s*<div style="margin-top:24px; color:#5F6368">\\s*(?:RE|FWD?)\\s*:'
    • body.html.raw matches '</div>\\s*<div style="margin-top:24px; color:#5F6368">[^<]*(?:<[^\\/][^<]*)*(?:file (?:access (?:request|invite)|sent to you)|(?:s(?:ent you|hared) a|open shared) file|d(?:rive file request|ocument shared)|(?:invited|request|click) to view|view (?:shared document|a file)|pending file request)[^<]*(?:<[^\\/][^<]*)*</div>\\s*</td>'
  6. not:
    • all of:
      • sender.email.email in ('comments-noreply@docs.google.com', 'drive-shares-dm-noreply@google.com', 'drive-shares-noreply@google.com', 'calendar-notification@google.com')
      • headers.auth_summary.dmarc.pass
      • any of:
        • any of regex.iextract(sender.display_name) where:
          • .named_groups['sender_display_name'] in $org_display_names
        • all of:
          • length(headers.reply_to) is 1
          • all of headers.reply_to where:
            • .email.domain.domain in $org_domains

Inspects: body.html.raw, headers.auth_summary.dmarc.pass, headers.reply_to, headers.reply_to[].email.domain.domain, sender.display_name, sender.email.domain.domain, sender.email.email, sender.email.local_part, type.inbound. Sensors: regex.icontains, regex.iextract, strings.icontains. Reference lists: $org_display_names, $org_domains.

Indicators matched (11)

FieldMatchValue
sender.email.domain.domainequalsgoogle.com
sender.email.local_partequalsdrive-shares-noreply
sender.email.local_partequalsdrive-shares-dm-noreply
strings.icontainssubstring<div style="margin-top:24px; color:#5F6368">
regex.icontainsregex</div>\s*<div style="margin-top:24px; color:#5F6368">\s*(?:RE|FWD?)\s*:
regex.icontainsregex</div>\s*<div style="margin-top:24px; color:#5F6368">[^<]*(?:<[^\/][^<]*)*(?:file (?:access (?:request|invite)|sent to you)|(?:s(?:ent you|hared) a|open shared) file|d(?:rive file request|ocument shared)|(?:invited|request|click) to view|view (?:shared document|a file)|pending file request)[^<]*(?:<[^\/][^<]*)*</div>\s*</td>
sender.email.emailmembercomments-noreply@docs.google.com
sender.email.emailmemberdrive-shares-dm-noreply@google.com
sender.email.emailmemberdrive-shares-noreply@google.com
sender.email.emailmembercalendar-notification@google.com
regex.iextractregex^(?P<sender_display_name>.*)\((?:via )?Google