Detection rules › Panther
Gsuite Attachments Downloaded from Spam Email
Detects when a user downloads or saves to Google Drive one or more attachments that are classified as spam.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1566.001 Phishing: Spearphishing Attachment |
| Execution | T1204.002 User Execution: Malicious File |
Rule body yaml
AnalysisType: rule
Filename: gsuite_attachments_downloaded_from_spam_email.py
RuleID: "GSuite.Gmail.SpamEmail.AttachmentDownload"
DisplayName: "Gsuite Attachments Downloaded from Spam Email"
Enabled: true
LogTypes:
- GSuite.ActivityEvent
Tags:
- GSuite
Reports:
MITRE ATT&CK:
- TA0001:T1566.001 # Initial Access: Phishing - Spearphishing Attachment
- TA0011:T1204.002 # Execution: User Execution - Malicious File
Severity: High
Description: Detects when a user downloads or saves to Google Drive one or more attachments that are classified as spam.
Threshold: 1
DedupPeriodMinutes: 60
Tests:
- Name: Download Attachments from Spam Email
ExpectedResult: true
Log:
{
"p_any_ip_addresses": [
"1.1.1.1"
],
"p_any_actor_ids": [
"1234567891234"
],
"p_any_domain_names": [
"evil.com"
],
"p_event_time": "2025-11-04 20:44:43.248000000",
"p_log_type": "GSuite.ActivityEvent",
"p_parse_time": "2025-11-04 20:49:46.688935963",
"p_row_id": "0000000000de09c1dc6f0828cbad2ca5",
"p_schema_version": 0,
"p_source_id": "7ee69d4d-df1b-40b3-b5e8-6826dee34b1c",
"p_source_label": "Google Workspace",
"p_udm": {
"source": {
"address": "1.1.1.1",
"ip": "1.1.1.1"
},
"user": {
"provider_id": "123456789"
}
},
"actor": {
"callerType": "USER",
"email": "denethor@lotr.com",
"profileId": "123456789"
},
"id": {
"applicationName": "gmail",
"customerId": "1A2B3C",
"time": "2025-11-04 20:44:43.248000000",
"uniqueQualifier": "-123456789"
},
"ipAddress": "1.1.1.1",
"kind": "admin#reports#activity",
"name": "delivery",
"parameters": {
"event_info": {
"elapsed_time_usec": 368746,
"timestamp_usec": 1762289083248347,
"mail_event_type" : 17,
},
"message_info": {
"action_type": 19,
"is_spam": true,
"flattened_destinations": "gmail-for-work-catchall::denethor@lotr.com",
"link_domain": [
"evil.com"
],
"payload_size": 12345,
"subject": "You won 1 Million Dollar",
"message_set": {
"type": 46}
},
},
"type": "delivery_type"
}
- Name: Other Email Event
ExpectedResult: false
Log:
{
"p_any_ip_addresses": [
"1.1.1.1"
],
"p_any_actor_ids": [
"1234567891234"
],
"p_any_domain_names": [
"evil.com"
],
"p_event_time": "2025-11-04 20:44:43.248000000",
"p_log_type": "GSuite.ActivityEvent",
"p_parse_time": "2025-11-04 20:49:46.688935963",
"p_row_id": "165c80e3df1fc1cb9fb49af829c4fe26",
"p_schema_version": 0,
"p_source_id": "7ee69d4d-df1b-40b3-b5e8-6826dee34b1c",
"p_source_label": "Google Workspace",
"p_udm": {
"source": {
"address": "1.1.1.1",
"ip": "1.1.1.1"
},
"user": {
"provider_id": "123456789"
}
},
"actor": {
"callerType": "USER",
"email": "aragorn@lotr.com",
"profileId": "123456789"
},
"id": {
"applicationName": "gmail",
"customerId": "1A2B3C",
"time": "2025-11-04 20:44:43.248000000",
"uniqueQualifier": "-123456789"
},
"ipAddress": "1.1.1.1",
"kind": "admin#reports#activity",
"name": "delivery",
"parameters": {
"event_info": {
"elapsed_time_usec": 368746,
"timestamp_usec": 1762289083248347
},
"message_info": {
"action_type": 19,
"flattened_destinations": "gmail-for-work-catchall::aragorn@lotr.com",
"link_domain": [
"evil.com"
],
"payload_size": 12345,
"subject": "You won 1 Million Dollar",
"message_set": {
"type": 1}
},
},
"type": "delivery_type"
}
Detection logic
Condition
id.applicationName eq "gmail"
parameters.message_info.is_spam eq "True"
parameters.event_info.mail_event_type in ["17", "18", "19"]
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
id.applicationName | eq |
|
parameters.event_info.mail_event_type | in |
|
parameters.message_info.is_spam | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
actor | actor.email |
applicationName | id.applicationName |
name | |
type | |
parameters |