Create spam_google_group_invite.yml (#2159)

Co-authored-by: ID Generator <hello@sublimesecurity.com>
sublime-security · Jan 9, 2025 · d64cb9b · d64cb9b
1 parent 96040f4
commit d64cb9b
Showing 1 changed file with 67 additions and 0 deletions.
diff --git a/detection-rules/spam_google_group_explict_invite.yml b/detection-rules/spam_google_group_explict_invite.yml
@@ -0,0 +1,67 @@
+name: "Spam: Sexually Explict Google Group Invitation"
+description: "Detects suspicious Google Groups invitations containing inappropriate content or suspicious patterns. The rule looks for invites from non-organizational domains that contain random alphanumeric strings, explicit keywords, or suspicious call-to-action phrases in the group names or descriptions."
+type: "rule"
+severity: "low"
+source: |
+  type.inbound
+  // 
+  //  Warning: This rule contains sexually explict keywords
+  // 
+  and sender.email.email == "noreply@groups.google.com"
+  and (
+    strings.istarts_with(subject.subject, 'Invitation to join ')
+    or strings.istarts_with(subject.subject, 'You have been added to ')
+    // the group name contains sexually explict keywords
+    or regex.icontains(subject.subject,
+                       '(?:Invitation to join|You have been added to) .*(?:sex|horny|cock|fuck|\bass\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce)'
+    )
+  )
+  // the invite is not from an $org_domain user
+  and not any($org_domains,
+              strings.icontains(body.current_thread.text,
+                                strings.concat('@',
+                                               .,
+                                               ' invited you to join the '
+                                )
+              )
+              or strings.icontains(body.current_thread.text,
+                                   strings.concat('@', ., ' added you to the ')
+              )
+  )
+  and (
+    // the group name contains 7 char sets at the start and end and must contain a number
+    regex.icontains(subject.subject,
+                    '(?:added to|to join) [A-Z0-9]{5,7} .*(?:[[:^ascii:]]|[[:^alpha:]]) [A-Z0-9]{5,7}$'
+    )
+    // calls to action in the group name
+    or regex.icontains(subject.subject,
+                       '(?:added to|to join) .*(join|(?:click|go|tap) here)'
+    )
+    // it contains an emoji in the group name
+    or regex.icontains(subject.subject,
+                       '(?:added to|to join) .*[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
+    )
+    // the description of the group contains sexually explict keywords 
+    or regex.icontains(body.current_thread.text,
+                       '(?:about this group|message from).*(?:(sex|horny|cock|fuck|\bass\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce)).*https?://'
+    )
+    // the invitor is an email domain which contains 3 labels
+    or (
+      regex.icontains(body.current_thread.text,
+                      '\n[^\@]+@(?:[a-zA-Z0-9-]{1,255}\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the)'
+      )
+      // where the group name contains "lists."
+      and not regex.icontains(body.current_thread.text,
+                              '\n[^\@]+@(?:[a-zA-Z0-9-]{1,255}\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the) [^\@]+\@lists\.'
+      )
+    )
+  )
+attack_types:
+  - "Spam"
+tactics_and_techniques:
+  - "Free email provider"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Sender analysis"
+id: "4e0bec29-be9c-526f-ad56-824b4d87f55d"