From 4f1655fd58c92c4a15d08236377efba28cd70489 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Tue, 3 Dec 2024 21:56:10 -0600 Subject: [PATCH 1/2] Create abuse_google_drive_new_sender_domain.yml --- .../abuse_google_drive_new_sender_domain.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 detection-rules/abuse_google_drive_new_sender_domain.yml diff --git a/detection-rules/abuse_google_drive_new_sender_domain.yml b/detection-rules/abuse_google_drive_new_sender_domain.yml new file mode 100644 index 00000000000..dd3a0c1c143 --- /dev/null +++ b/detection-rules/abuse_google_drive_new_sender_domain.yml @@ -0,0 +1,31 @@ +name: "Service Abuse: Google Drive Share From New Reply-To Domain" +description: "A Google Drive sharing notification containing a reply-to address from a recently registered domain (less than 30 days old). The reply-to domain does not match any organizational domains." +type: "rule" +severity: "medium" +source: | + type.inbound + and sender.email.email in ( + 'drive-shares-dm-noreaply@google.com', + 'drive-shares-noreply@google.com', + ) + and not any(headers.reply_to, .email.domain.domain in $org_domains) + + // the message needs to have a reply-to address + and length(headers.reply_to) > 0 + + // new reply-to + and any(headers.reply_to, network.whois(.email.domain).days_old < 30) +tags: + - "Attack surface reduction" +attack_types: + - "BEC/Fraud" + - "Callback Phishing" + - "Credential Phishing" +tactics_and_techniques: + - "Free email provider" + - "Social engineering" + - "Free file host" +detection_methods: + - "Header analysis" + - "Sender analysis" + - "Whois" From 69e99e50cb3ecfff9b5bd943dcaf6e86ba8db30e Mon Sep 17 00:00:00 2001 From: ID Generator Date: Wed, 4 Dec 2024 03:58:18 +0000 Subject: [PATCH 2/2] Auto add rule ID --- detection-rules/abuse_google_drive_new_sender_domain.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/abuse_google_drive_new_sender_domain.yml b/detection-rules/abuse_google_drive_new_sender_domain.yml index dd3a0c1c143..049719deb41 100644 --- a/detection-rules/abuse_google_drive_new_sender_domain.yml +++ b/detection-rules/abuse_google_drive_new_sender_domain.yml @@ -29,3 +29,4 @@ detection_methods: - "Header analysis" - "Sender analysis" - "Whois" +id: "c1a2d367-ebdd-5557-926d-fe7b9ebfa324"