-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update link_google_open_redirect_with_suspicious_indicators.yml by @zoomequipd #2179 Source SHA 063811f Triggered by @zoomequipd
- Loading branch information
Sublime Rule Testing Bot
committed
Dec 26, 2024
1 parent
34e5452
commit 849ac3e
Showing
1 changed file
with
92 additions
and
0 deletions.
There are no files selected for viewing
92 changes: 92 additions & 0 deletions
92
detection-rules/link_google_open_redirect_with_suspicious_indicators.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
name: "Open Redirect: Google domain with /url path and suspicious indicators" | ||
description: "This rule examines messages containing image attachments that utilize Google's open redirect (google[.]com/url...). \nTo enhance accuracy and minimize false positives, the rule conducts additional assessments for suspicious indicators, as indicated in the comments.\n" | ||
type: "rule" | ||
severity: "medium" | ||
source: | | ||
type.inbound | ||
// All attachments are images or 0 attachments | ||
and ( | ||
(length(attachments) > 0 and all(attachments, .file_type in $file_types_images)) | ||
or length(attachments) == 0 | ||
) | ||
and sender.email.domain.root_domain not in $org_domains | ||
// negate auth'ed google messages | ||
and not ( | ||
sender.email.domain.sld == "google" | ||
and sender.email.local_part in ("googlealerts-noreply", "comments-noreply@docs.google.com") | ||
and headers.auth_summary.spf.pass | ||
and headers.auth_summary.dmarc.pass | ||
) | ||
// not a reply | ||
and ( | ||
length(headers.references) == 0 | ||
or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) | ||
) | ||
// With a Google Redirect | ||
and any(body.links, | ||
( | ||
.href_url.domain.sld == "google" | ||
and .href_url.path == "/url" | ||
and regex.contains(.href_url.query_params, "hl=.{2}&q=http(s)?://") | ||
) | ||
or any(.href_url.rewrite.encoders, . == 'google_open_redirect') | ||
) | ||
and 2 of ( | ||
// Not a google logo | ||
any(attachments, | ||
.file_type in $file_types_images | ||
and ( | ||
any(ml.logo_detect(.).brands, not strings.starts_with(.name, "Google")) | ||
or any(ml.logo_detect(beta.message_screenshot()).brands, | ||
not strings.starts_with(.name, "Google") | ||
) | ||
) | ||
), | ||
// Body analysis - NLU - Credential theft | ||
( | ||
any(ml.nlu_classifier(body.current_thread.text).intents, | ||
.name == "cred_theft" and .confidence in~ ("medium", "high") | ||
) | ||
), | ||
// Image analysis - NLU - Credential theft language | ||
( | ||
any(attachments, | ||
.file_type in $file_types_images | ||
and any(file.explode(.), | ||
any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft") | ||
) | ||
) | ||
), | ||
// Content analysis - Body - Urgency | ||
( | ||
any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency") | ||
), | ||
// White font is found in html raw | ||
( | ||
length(body.html.display_text) < 500 | ||
and regex.icontains(body.html.raw, | ||
'<div style="color: #fff(fff)?.[^<]+<\/div><\/div><\/body><\/html>$' | ||
) | ||
) | ||
// domains using .app matching this pattern observed abusing google's redirect | ||
or regex.icontains(sender.email.domain.domain, '[a-z]{3,}\.\d{5,}[^\.]+\.app$') | ||
) | ||
attack_types: | ||
- "Credential Phishing" | ||
tactics_and_techniques: | ||
- "Evasion" | ||
- "Open redirect" | ||
detection_methods: | ||
- "Computer Vision" | ||
- "Content analysis" | ||
- "File analysis" | ||
- "Header analysis" | ||
- "Natural Language Understanding" | ||
- "Optical Character Recognition" | ||
- "Sender analysis" | ||
- "URL analysis" | ||
id: "fc5adf74-6a39-5285-9737-3539a0542313" | ||
testing_pr: 2179 | ||
testing_sha: 063811fb26c72d00e3e84dd60cd2a53cc16bcd5c |