Detection rules › Sublime MQL
Spam: Sexually explicit Google group invitation
Detects suspicious Google Groups invitations containing inappropriate content or suspicious patterns. The rule looks for invites from non-organizational domains that contain random alphanumeric strings, explicit keywords, or suspicious call-to-action phrases in the group names or descriptions.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Spam |
| Tactics and techniques | Free email provider, Social engineering |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| sender.email |
| subject |
| type |
Rule body MQL
type.inbound
//
// Warning: This rule contains sexually explicit keywords
//
and sender.email.email == "noreply@groups.google.com"
and (
strings.istarts_with(subject.base, 'Invitation to join ')
or strings.istarts_with(subject.base, 'You have been added to ')
// the group name contains sexually explicit keywords
// this regex should be kept in sync between the Google Group, Google Drive Share, and Looker Studio rules
or regex.icontains(subject.base,
'(?:Invitation to join|You have been added to) .*(?:sex|horny|cock|fuck|\bass\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|\blust\b|desire|intimate|explicit|fetish|kinky|seduce|adult community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner)'
)
)
// the invite is not from an $org_domain user
and not any($org_domains,
strings.icontains(body.current_thread.text,
strings.concat('@',
.,
' invited you to join the '
)
)
or strings.icontains(body.current_thread.text,
strings.concat('@', ., ' added you to the ')
)
)
and (
// the group name contains 7 char sets at the start and end and must contain a number
regex.icontains(subject.base,
'(?:added to|to join) [A-Z0-9]{5,7} .*(?:[[:^ascii:]]|[[:^alpha:]]) [A-Z0-9]{5,7}$'
)
// calls to action in the group name
or regex.icontains(subject.base,
'(?:added to|to join) .*(join|(?:click|go|tap) here)'
)
// it contains an emoji in the group name
or regex.icontains(subject.base,
'(?:added to|to join) .*[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
)
// the description of the group contains sexually explicit keywords
// this regex should be kept in sync between the Google Group and the Looker Studio rules
or regex.icontains(body.current_thread.text,
'(?:about this group|message from).*(?:sex|horny|cock|fuck|\bass\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce|adult community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner).*https?://'
)
// the invitor is an email domain which contains 3 labels
or (
regex.icontains(body.current_thread.text,
'\n[^\@]+@(?:[a-zA-Z0-9-]{1,255}\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the)'
)
// where the group name contains "lists."
and not regex.icontains(body.current_thread.text,
'\n[^\@]+@(?:[a-zA-Z0-9-]{1,255}\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the) [^\@]+\@lists\.'
)
)
)
Detection logic
Scope: inbound message.
Detects suspicious Google Groups invitations containing inappropriate content or suspicious patterns. The rule looks for invites from non-organizational domains that contain random alphanumeric strings, explicit keywords, or suspicious call-to-action phrases in the group names or descriptions.
- inbound message
- sender.email.email is 'noreply@groups.google.com'
any of:
- subject.base starts with 'Invitation to join '
- subject.base starts with 'You have been added to '
- subject.base matches '(?:Invitation to join|You have been added to) .*(?:sex|horny|cock|fuck|\\bass\\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|\\blust\\b|desire|intimate|explicit|fetish|kinky|seduce|adult community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner)'
not:
any of
$org_domainswhere any holds:- strings.icontains(body.current_thread.text)
- strings.icontains(body.current_thread.text)
any of:
- subject.base matches '(?:added to|to join) [A-Z0-9]{5,7} .*(?:[[:^ascii:]]|[[:^alpha:]]) [A-Z0-9]{5,7}$'
- subject.base matches '(?:added to|to join) .*(join|(?:click|go|tap) here)'
- subject.base matches '(?:added to|to join) .*[\\x{1F300}-\\x{1F5FF}\\x{1F600}-\\x{1F64F}\\x{1F680}-\\x{1F6FF}\\x{1F700}-\\x{1F77F}\\x{1F780}-\\x{1F7FF}\\x{1F900}-\\x{1F9FF}\\x{2600}-\\x{26FF}\\x{2700}-\\x{27BF}\\x{2300}-\\x{23FF}]'
- body.current_thread.text matches '(?:about this group|message from).*(?:sex|horny|cock|fuck|\\bass\\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce|adult community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner).*https?://'
all of:
- body.current_thread.text matches '\\n[^\\@]+@(?:[a-zA-Z0-9-]{1,255}\\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the)'
not:
- body.current_thread.text matches '\\n[^\\@]+@(?:[a-zA-Z0-9-]{1,255}\\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the) [^\\@]+\\@lists\\.'
Inspects: body.current_thread.text, sender.email.email, subject.base, type.inbound. Sensors: regex.icontains, strings.concat, strings.icontains, strings.istarts_with. Reference lists: $org_domains.
Indicators matched (10)
| Field | Match | Value |
|---|---|---|
sender.email.email | equals | noreply@groups.google.com |
strings.istarts_with | prefix | Invitation to join |
strings.istarts_with | prefix | You have been added to |
regex.icontains | regex | (?:Invitation to join|You have been added to) .*(?:sex|horny|cock|fuck|\bass\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|\blust\b|desire|intimate|explicit|fetish|kinky|seduce|adult community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner) |
regex.icontains | regex | (?:added to|to join) [A-Z0-9]{5,7} .*(?:[[:^ascii:]]|[[:^alpha:]]) [A-Z0-9]{5,7}$ |
regex.icontains | regex | (?:added to|to join) .*(join|(?:click|go|tap) here) |
regex.icontains | regex | (?:added to|to join) .*[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}] |
regex.icontains | regex | (?:about this group|message from).*(?:sex|horny|cock|fuck|\bass\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce|adult community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner).*https?:// |
regex.icontains | regex | \n[^\@]+@(?:[a-zA-Z0-9-]{1,255}\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the) |
regex.icontains | regex | \n[^\@]+@(?:[a-zA-Z0-9-]{1,255}\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the) [^\@]+\@lists\. |