detection.wiki

Detection rules › Sublime MQL

Spam: Sexually explicit Google Drive share

Severity
low
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects suspicious Google Drive Share which containing inappropriate content or suspicious patterns. The rule looks for reports from non-organizational domains that contain emojis or explicit keywords within the report.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesSpam
Tactics and techniquesSocial engineering, Free email provider

Event coverage

Message attribute
body.current_thread
headers (collection)
headers.reply_to (collection)
sender.email
subject
type

Rule body MQL

type.inbound
// 
//  Warning: This rule contains sexually explicit keywords
// 
and sender.email.email == "drive-shares-noreply@google.com"
// the invite is not from an $org_domain user
and all(headers.reply_to,
        .email.domain.domain not in $org_domains
        and .email.email not in $recipient_emails
        and .email.email not in $sender_emails
)
// the subject or the body contain sexually explicit keywords
and any([subject.subject, body.current_thread.text],
        // this regex should be kept in sync between the Google Group and the Looker Studio rules
        regex.icontains(.,
                        '(?:sex|horny|cock|fuck|\bass\b|pussy|dick|tits|\bcum\b|girlfriend|boyfriend|naked|porn|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|\bxxx\b|nudes?|sexting|cheating|affair|erotic|\blust\b|desire|intimate|explicit|fetish|kinky|seduce|adult\s*(?:\w+\s+){0,2}\s*community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner)'
        )
)

Detection logic

Scope: inbound message.

Detects suspicious Google Drive Share which containing inappropriate content or suspicious patterns. The rule looks for reports from non-organizational domains that contain emojis or explicit keywords within the report.

  1. inbound message
  2. sender.email.email is 'drive-shares-noreply@google.com'
  3. all of headers.reply_to where all hold:
    • .email.domain.domain not in $org_domains
    • .email.email not in $recipient_emails
    • .email.email not in $sender_emails
  4. any of [subject.subject, body.current_thread.text] where:
    • . matches '(?:sex|horny|cock|fuck|\\bass\\b|pussy|dick|tits|\\bcum\\b|girlfriend|boyfriend|naked|porn|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|\\bxxx\\b|nudes?|sexting|cheating|affair|erotic|\\blust\\b|desire|intimate|explicit|fetish|kinky|seduce|adult\\s*(?:\\w+\\s+){0,2}\\s*community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner)'

Inspects: body.current_thread.text, headers.reply_to, headers.reply_to[].email.domain.domain, headers.reply_to[].email.email, sender.email.email, subject.subject, type.inbound. Sensors: regex.icontains. Reference lists: $org_domains, $recipient_emails, $sender_emails.

Indicators matched (2)

FieldMatchValue
sender.email.emailequalsdrive-shares-noreply@google.com
regex.icontainsregex(?:sex|horny|cock|fuck|\bass\b|pussy|dick|tits|\bcum\b|girlfriend|boyfriend|naked|porn|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|\bxxx\b|nudes?|sexting|cheating|affair|erotic|\blust\b|desire|intimate|explicit|fetish|kinky|seduce|adult\s*(?:\w+\s+){0,2}\s*community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner)