Sync from PR#2179

Update link_google_open_redirect_with_suspicious_indicators.yml by @zoomequipd #2179 Source SHA 063811f Triggered by @zoomequipd
sublime-security · Dec 26, 2024 · 849ac3e · 849ac3e
1 parent 34e5452
commit 849ac3e
Showing 1 changed file with 92 additions and 0 deletions.
diff --git a/detection-rules/link_google_open_redirect_with_suspicious_indicators.yml b/detection-rules/link_google_open_redirect_with_suspicious_indicators.yml
@@ -0,0 +1,92 @@
+name: "Open Redirect: Google domain with /url path and suspicious indicators"
+description: "This rule examines messages containing image attachments that utilize Google's open redirect (google[.]com/url...). \nTo enhance accuracy and minimize false positives, the rule conducts additional assessments for suspicious indicators, as indicated in the comments.\n"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  // All attachments are images or 0 attachments
+  and (
+    (length(attachments) > 0 and all(attachments, .file_type in $file_types_images))
+    or length(attachments) == 0
+  )
+  and sender.email.domain.root_domain not in $org_domains
+  // negate auth'ed google messages
+  and not (
+    sender.email.domain.sld == "google"
+    and sender.email.local_part in ("googlealerts-noreply", "[email protected]")
+    and headers.auth_summary.spf.pass
+    and headers.auth_summary.dmarc.pass
+  )
+  // not a reply
+  and (
+    length(headers.references) == 0
+    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+  )
+  // With a Google Redirect
+  and any(body.links,
+          (
+            .href_url.domain.sld == "google"
+            and .href_url.path == "/url"
+            and regex.contains(.href_url.query_params, "hl=.{2}&q=http(s)?://")
+          )
+          or any(.href_url.rewrite.encoders, . == 'google_open_redirect')
+  )
+  and 2 of (
+    // Not a google logo
+    any(attachments,
+        .file_type in $file_types_images
+        and (
+          any(ml.logo_detect(.).brands, not strings.starts_with(.name, "Google"))
+          or any(ml.logo_detect(beta.message_screenshot()).brands,
+                 not strings.starts_with(.name, "Google")
+          )
+        )
+    ),
+    // Body analysis - NLU - Credential theft
+    (
+      any(ml.nlu_classifier(body.current_thread.text).intents,
+          .name == "cred_theft" and .confidence in~ ("medium", "high")
+      )
+    ),
+    // Image analysis - NLU - Credential theft language
+    (
+      any(attachments,
+          .file_type in $file_types_images
+          and any(file.explode(.),
+                  any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft")
+          )
+      )
+    ),
+    // Content analysis - Body - Urgency
+    (
+      any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
+    ),
+
+    // White font is found in html raw
+    (
+      length(body.html.display_text) < 500
+      and regex.icontains(body.html.raw,
+                          '<div style="color: #fff(fff)?.[^<]+<\/div><\/div><\/body><\/html>$'
+      )
+    )
+
+    // domains using .app matching this pattern observed abusing google's redirect
+    or regex.icontains(sender.email.domain.domain, '[a-z]{3,}\.\d{5,}[^\.]+\.app$')
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Open redirect"
+detection_methods:
+  - "Computer Vision"
+  - "Content analysis"
+  - "File analysis"
+  - "Header analysis"
+  - "Natural Language Understanding"
+  - "Optical Character Recognition"
+  - "Sender analysis"
+  - "URL analysis"
+id: "fc5adf74-6a39-5285-9737-3539a0542313"
+testing_pr: 2179
+testing_sha: 063811fb26c72d00e3e84dd60cd2a53cc16bcd5c