-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create spam_google_group_invite.yml by @zoomequipd #2159 Source SHA f8e971a Triggered by @zoomequipd
- Loading branch information
Sublime Rule Testing Bot
committed
Dec 11, 2024
1 parent
c5666d2
commit 5a11f81
Showing
1 changed file
with
3 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,14 +2,15 @@ name: "Spam: Google Groups Invitations" | |
| description: "Detects suspicious Google Groups invitations containing inappropriate content or suspicious patterns. The rule looks for invites from non-organizational domains that contain random alphanumeric strings, explicit keywords, or suspicious call-to-action phrases in the group names or descriptions." | ||
| type: "rule" | ||
| severity: "low" | ||
| source: "type.inbound\n// \n// Warning: This rule contains sexually explict keywords\n// \nand sender.email.email == \"[email protected]\"\nand (\n strings.istarts_with(subject.subject, 'Invitation to join ')\n or strings.istarts_with(subject.subject, 'You have been added to ')\n)\n// the invite is not from an $org_domain user\nand not any($org_domains,\n strings.icontains(body.current_thread.text,\n strings.concat('@',\n .,\n ' invited you to join the '\n )\n )\n or strings.icontains(body.current_thread.text,\n strings.concat('@', ., ' added you to the ')\n )\n)\nand (\n // the group name contains 7 char sets at the start and end and must contain a number\n regex.icontains(subject.subject,\n '(?:added to|to join) [A-Z0-9]{6,7} .*(?:[[:^ascii:]]|[[:^alpha:]]) [A-Z0-9]{6,7}$'\n )\n // calls to action in the group name\n or regex.icontains(subject.subject,\n '(?:added to|to join) .*(join|(?:click|go|tap) here)'\n )\n // it contains an emoji in the group name\n or regex.icontains(subject.subject,\n '(?:added to|to join) .*[\\x{1F300}-\\x{1F5FF}\\x{1F600}-\\x{1F64F}\\x{1F680}-\\x{1F6FF}\\x{1F700}-\\x{1F77F}\\x{1F780}-\\x{1F7FF}\\x{1F900}-\\x{1F9FF}\\x{2600}-\\x{26FF}\\x{2700}-\\x{27BF}\\x{2300}-\\x{23FF}]'\n )\n or \n regex.icontains(body.current_thread.text, '(?:about this group|message from).*(?:sex|horny|cock|fuck|ass|pussy|dick|tits|cum).*https?://')\n)\n" | ||
| source: "type.inbound\n// \n// Warning: This rule contains sexually explict keywords\n// \nand sender.email.email == \"[email protected]\"\nand (\n strings.istarts_with(subject.subject, 'Invitation to join ')\n or strings.istarts_with(subject.subject, 'You have been added to ')\n // the group name contains sexually explict keywords\n or\n regex.icontains(subject.subject, '(?:Invitation to join|You have been added to) .*(?:sex|horny|cock|fuck|ass|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce)')\n)\n// the invite is not from an $org_domain user\nand not any($org_domains,\n strings.icontains(body.current_thread.text,\n strings.concat('@',\n .,\n ' invited you to join the '\n )\n )\n or strings.icontains(body.current_thread.text,\n strings.concat('@', ., ' added you to the ')\n )\n)\nand (\n // the group name contains 7 char sets at the start and end and must contain a number\n regex.icontains(subject.subject,\n '(?:added to|to join) [A-Z0-9]{6,7} .*(?:[[:^ascii:]]|[[:^alpha:]]) [A-Z0-9]{6,7}$'\n )\n // calls to action in the group name\n or regex.icontains(subject.subject,\n '(?:added to|to join) .*(join|(?:click|go|tap) here)'\n )\n // it contains an emoji in the group name\n or regex.icontains(subject.subject,\n '(?:added to|to join) .*[\\x{1F300}-\\x{1F5FF}\\x{1F600}-\\x{1F64F}\\x{1F680}-\\x{1F6FF}\\x{1F700}-\\x{1F77F}\\x{1F780}-\\x{1F7FF}\\x{1F900}-\\x{1F9FF}\\x{2600}-\\x{26FF}\\x{2700}-\\x{27BF}\\x{2300}-\\x{23FF}]'\n )\n // the description of the group contains sexually explict keywords \n or \n regex.icontains(body.current_thread.text, '(?:about this group|message from).*(?:(sex|horny|cock|fuck|ass|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce)).*https?://')\n // the invitor is an email domain which contains 3 labels\n or \n regex.icontains(body.current_thread.text, '\\n[^\\@]+@(?:[a-zA-Z0-9-]{1,255}\\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the)')\n)\n" | ||
| attack_types: | ||
| - "Spam" | ||
| tactics_and_techniques: | ||
| - "Free email provider" | ||
| - "Social engineering" | ||
| detection_methods: | ||
| - "Content analysis" | ||
| - "Sender analysis" | ||
| id: "4e0bec29-be9c-526f-ad56-824b4d87f55d" | ||
| testing_pr: 2159 | ||
| testing_sha: 88db12fe0e212220660632ddd9078eaafe7d091c | ||
| testing_sha: f8e971a52ee4410b250f42d4f8e91909aaf30196 | ||