From 849ac3ebc7c9e3990cced5d4e25e4f151842fbcc Mon Sep 17 00:00:00 2001 From: Sublime Rule Testing Bot Date: Thu, 26 Dec 2024 21:06:05 +0000 Subject: [PATCH] Sync from PR#2179 Update link_google_open_redirect_with_suspicious_indicators.yml by @zoomequipd https://github.com/sublime-security/sublime-rules/pull/2179 Source SHA 063811fb26c72d00e3e84dd60cd2a53cc16bcd5c Triggered by @zoomequipd --- ...en_redirect_with_suspicious_indicators.yml | 92 +++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 detection-rules/link_google_open_redirect_with_suspicious_indicators.yml diff --git a/detection-rules/link_google_open_redirect_with_suspicious_indicators.yml b/detection-rules/link_google_open_redirect_with_suspicious_indicators.yml new file mode 100644 index 00000000000..2a868aef613 --- /dev/null +++ b/detection-rules/link_google_open_redirect_with_suspicious_indicators.yml @@ -0,0 +1,92 @@ +name: "Open Redirect: Google domain with /url path and suspicious indicators" +description: "This rule examines messages containing image attachments that utilize Google's open redirect (google[.]com/url...). \nTo enhance accuracy and minimize false positives, the rule conducts additional assessments for suspicious indicators, as indicated in the comments.\n" +type: "rule" +severity: "medium" +source: | + type.inbound + // All attachments are images or 0 attachments + and ( + (length(attachments) > 0 and all(attachments, .file_type in $file_types_images)) + or length(attachments) == 0 + ) + and sender.email.domain.root_domain not in $org_domains + // negate auth'ed google messages + and not ( + sender.email.domain.sld == "google" + and sender.email.local_part in ("googlealerts-noreply", "comments-noreply@docs.google.com") + and headers.auth_summary.spf.pass + and headers.auth_summary.dmarc.pass + ) + // not a reply + and ( + length(headers.references) == 0 + or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ) + // With a Google Redirect + and any(body.links, + ( + .href_url.domain.sld == "google" + and .href_url.path == "/url" + and regex.contains(.href_url.query_params, "hl=.{2}&q=http(s)?://") + ) + or any(.href_url.rewrite.encoders, . == 'google_open_redirect') + ) + and 2 of ( + // Not a google logo + any(attachments, + .file_type in $file_types_images + and ( + any(ml.logo_detect(.).brands, not strings.starts_with(.name, "Google")) + or any(ml.logo_detect(beta.message_screenshot()).brands, + not strings.starts_with(.name, "Google") + ) + ) + ), + // Body analysis - NLU - Credential theft + ( + any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "cred_theft" and .confidence in~ ("medium", "high") + ) + ), + // Image analysis - NLU - Credential theft language + ( + any(attachments, + .file_type in $file_types_images + and any(file.explode(.), + any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft") + ) + ) + ), + // Content analysis - Body - Urgency + ( + any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency") + ), + + // White font is found in html raw + ( + length(body.html.display_text) < 500 + and regex.icontains(body.html.raw, + '