detection.wiki

Detection rules › Panther

Spam Email Surge

Status
Experimental
Severity
medium
Entities
actor_ids, domain_names, ip_addresses
Log types
GSuite.ActivityEvent
Tags
GSuite
Source
github.com/panther-labs/panther-analysis

Detects a high number of spam emails received by a single user in a short timeframe. This could indicate the user's email has appeared in data leaks and is being targeted for spam.

MITRE ATT&CK coverage

TacticTechniques
ReconnaissanceT1598 Phishing for Information
Initial AccessT1566 Phishing

Rule body yaml

AnalysisType: rule
Filename: gsuite_spam_email.py
RuleID: "GSuite.Gmail.Spam.Email.Surge"
DisplayName: "Spam Email Surge"
Enabled: true
LogTypes:
  - GSuite.ActivityEvent
Tags:
  - GSuite
Reports:
  MITRE ATT&CK:
    - TA0001:T1566 # Initial Access: Phishing
    - TA0043:T1598 # Reconnaissance: Phishing for Information
Severity: Medium
Status: Experimental
Description: >
  Detects a high number of spam emails received by a single user in a short timeframe. This could indicate the user's email has appeared in data leaks and is being targeted for spam.
Threshold: 50
DedupPeriodMinutes: 60
Tests:
  - Name: Spam Email
    ExpectedResult: true
    Log:
      {
        "p_any_ip_addresses": [
          "1.1.1.1"
        ],
        "p_any_actor_ids": [
          "1234567891234"
        ],
        "p_any_domain_names": [
          "evil.com"
        ],
        "p_event_time": "2025-11-04 20:44:43.248000000",
        "p_log_type": "GSuite.ActivityEvent",
        "p_parse_time": "2025-11-04 20:49:46.688935963",
        "p_row_id": "0000000000de09c1dc6f0828cbad2ca5",
        "p_schema_version": 0,
        "p_source_id": "7ee69d4d-df1b-40b3-b5e8-6826dee34b1c",
        "p_source_label": "Google Workspace",
        "p_udm": {
          "source": {
            "address": "1.1.1.1",
            "ip": "1.1.1.1"
          },
          "user": {
            "provider_id": "123456789"
          }
        },
        "actor": {
          "callerType": "USER",
          "email": "denethor@lotr.com",
          "profileId": "123456789"
        },
        "id": {
          "applicationName": "gmail",
          "customerId": "1A2B3C",
          "time": "2025-11-04 20:44:43.248000000",
          "uniqueQualifier": "-123456789"
        },
        "ipAddress": "1.1.1.1",
        "kind": "admin#reports#activity",
        "name": "delivery",
        "parameters": {
          "event_info": {
            "elapsed_time_usec": 368746,
            "timestamp_usec": 1762289083248347
          },
          "message_info": {
            "action_type": 19,
            "flattened_destinations": "gmail-for-work-catchall::denethor@lotr.com",
            "is_spam": true,
            "link_domain": [
              "evil.com"
            ],
            "payload_size": 12345,
            "subject": "You won 1 Million Dollar"
          }
        },
        "type": "delivery_type"
      }
  - Name: Normal Email
    ExpectedResult: false
    Log:
      {
        "p_any_ip_addresses": [
          "1.1.1.1"
        ],
        "p_any_actor_ids": [
          "1234567891234"
        ],
        "p_any_domain_names": [
          "evil.com"
        ],
        "p_event_time": "2025-11-04 20:44:43.248000000",
        "p_log_type": "GSuite.ActivityEvent",
        "p_parse_time": "2025-11-04 20:49:46.688935963",
        "p_row_id": "165c80e3df1fc1cb9fb49af829c4fe26",
        "p_schema_version": 0,
        "p_source_id": "7ee69d4d-df1b-40b3-b5e8-6826dee34b1c",
        "p_source_label": "Google Workspace",
        "p_udm": {
          "source": {
            "address": "1.1.1.1",
            "ip": "1.1.1.1"
          },
          "user": {
            "provider_id": "123456789"
          }
        },
        "actor": {
          "callerType": "USER",
          "email": "aragorn@lotr.com",
          "profileId": "123456789"
        },
        "id": {
          "applicationName": "gmail",
          "customerId": "1A2B3C",
          "time": "2025-11-04 20:44:43.248000000",
          "uniqueQualifier": "-123456789"
        },
        "ipAddress": "1.1.1.1",
        "kind": "admin#reports#activity",
        "name": "delivery",
        "parameters": {
          "event_info": {
            "elapsed_time_usec": 368746,
            "timestamp_usec": 1762289083248347
          },
          "message_info": {
            "action_type": 19,
            "flattened_destinations": "gmail-for-work-catchall::aragorn@lotr.com",
            "is_spam": false,
            "link_domain": [
              "good.com"
            ],
            "payload_size": 12345,
            "subject": "Normal Email"
          }
        },
        "type": "delivery_type"
      }

Detection logic

Condition

id.applicationName eq "gmail"
actor.email not contains "/hd/domain/"
parameters.message_info.is_spam eq "True"

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

FieldKindExcluded values
actor.emailcontains/hd/domain/

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
id.applicationNameeq
  • gmail
parameters.message_info.is_spameq
  • True

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
actoractor.email
applicationNameid.applicationName
name
type
parameters