sublime-security · zoomequipd · Jan 15, 2025 · Dec 31, 2024 · Dec 31, 2024 · Jan 2, 2025
@@ -0,0 +1,76 @@
+name: "Impersonation: Chrome Web Store Policy"
+description: "Detects messages impersonating Chrome Web Store policy communications, including fake extension security alerts and policy acceptance requests. Messages using observed domains and specific HTML formatting patterns typical of this impersonation."
+references:
+  - "https://www.cyberhaven.com/engineering-blog/cyberhavens-preliminary-analysis-of-the-recent-malicious-chrome-extension"
+  - "https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/"
+type: "rule"
+severity: "low"
+source: |
+  type.inbound
+  // all observed sender.email.domain have had MX records pointing to smtp.google.com
+  and strings.ends_with(headers.message_id, '@mail.gmail.com>')
+  and sender.email.domain.domain != 'gmail.com'
+  and (
+    // subject and sender
+    sender.email.domain.root_domain in (
+      "chromeforextension.com",
+      "forextensions.com",
+      "supportchromestore.com"
+    )
+    or (
+      2 of (
+        strings.icontains(sender.email.domain.root_domain, 'chrome'),
+        strings.icontains(sender.email.domain.root_domain, 'support'),
+        strings.icontains(sender.email.domain.root_domain, 'extension'),
+        strings.icontains(sender.email.domain.root_domain, 'webstore')
+      )
+    )
+    or strings.icontains(sender.email.local_part, 'chromewebstore')
+    or strings.icontains(sender.display_name, "Webstore Extension")
+    or strings.icontains(subject.subject, 'Chrome Web Store Policy')
+    // body and html
+    or strings.icontains(body.html.raw,
+                         '<div style="background-color:rgb(65,132,243);padding:50px 20px 0px">'
+    )
+    or regex.icontains(body.current_thread.text,
+                       'Item name: [^\s]+ security extension'
+    )
+    or strings.icontains(body.current_thread.text,
+                         'Chrome Web Store Developer Support'
+    )
+    or strings.icontains(body.current_thread.text, 'Developer Program Policies')
+    or strings.icontains(body.current_thread.text,
+                         'Relevant section of the program policy:'
+    )
+    or strings.icontains(body.current_thread.text,
+                         'Please accept our policies to continue publishing your products.'
+    )
+
+    // links
+    or (
+      length(distinct(body.links, .href_url.domain.root_domain)) < 10
+      and any(body.links,
+              .href_url.domain.root_domain in (
+                "checkpolicy.site",
+                "extensionpolicyprivacy.com",
+                "extensionpolicy.net",
+                "policyextension.info"
+              )
+              or .href_url.path == '/extension-policy-check'
+              or .display_text == "Go To Policy"
+      )
+    )
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Free email provider"
+  - "Lookalike domain"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "HTML analysis"
+  - "Sender analysis"
+  - "URL analysis"
+id: "4a98f283-8cc6-5864-bafb-e1908d0a5a8b"