diff --git a/detection-rules/impersonation_chrome_web_store_policy.yml b/detection-rules/impersonation_chrome_web_store_policy.yml new file mode 100644 index 00000000000..52924d4a4ba --- /dev/null +++ b/detection-rules/impersonation_chrome_web_store_policy.yml @@ -0,0 +1,76 @@ +name: "Impersonation: Chrome Web Store Policy" +description: "Detects messages impersonating Chrome Web Store policy communications, including fake extension security alerts and policy acceptance requests. Messages using observed domains and specific HTML formatting patterns typical of this impersonation." +references: + - "https://www.cyberhaven.com/engineering-blog/cyberhavens-preliminary-analysis-of-the-recent-malicious-chrome-extension" + - "https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/" +type: "rule" +severity: "low" +source: | + type.inbound + // all observed sender.email.domain have had MX records pointing to smtp.google.com + and strings.ends_with(headers.message_id, '@mail.gmail.com>') + and sender.email.domain.domain != 'gmail.com' + and ( + // subject and sender + sender.email.domain.root_domain in ( + "chromeforextension.com", + "forextensions.com", + "supportchromestore.com" + ) + or ( + 2 of ( + strings.icontains(sender.email.domain.root_domain, 'chrome'), + strings.icontains(sender.email.domain.root_domain, 'support'), + strings.icontains(sender.email.domain.root_domain, 'extension'), + strings.icontains(sender.email.domain.root_domain, 'webstore') + ) + ) + or strings.icontains(sender.email.local_part, 'chromewebstore') + or strings.icontains(sender.display_name, "Webstore Extension") + or strings.icontains(subject.subject, 'Chrome Web Store Policy') + // body and html + or strings.icontains(body.html.raw, + '
' + ) + or regex.icontains(body.current_thread.text, + 'Item name: [^\s]+ security extension' + ) + or strings.icontains(body.current_thread.text, + 'Chrome Web Store Developer Support' + ) + or strings.icontains(body.current_thread.text, 'Developer Program Policies') + or strings.icontains(body.current_thread.text, + 'Relevant section of the program policy:' + ) + or strings.icontains(body.current_thread.text, + 'Please accept our policies to continue publishing your products.' + ) + + // links + or ( + length(distinct(body.links, .href_url.domain.root_domain)) < 10 + and any(body.links, + .href_url.domain.root_domain in ( + "checkpolicy.site", + "extensionpolicyprivacy.com", + "extensionpolicy.net", + "policyextension.info" + ) + or .href_url.path == '/extension-policy-check' + or .display_text == "Go To Policy" + ) + ) + ) +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Free email provider" + - "Lookalike domain" +detection_methods: + - "Content analysis" + - "Header analysis" + - "HTML analysis" + - "Sender analysis" + - "URL analysis" +id: "4a98f283-8cc6-5864-bafb-e1908d0a5a8b"