Sync from PR#2658

Sublime Rule Testing Bot · Sublime Rule Testing Bot · commit bc56beb2dcb2 · 2025-04-29T15:59:23.000Z
Create spam_explicit_google_drive_share.yml by @aidenmitchell #2658 Source SHA a02e07c Triggered by @aidenmitchell
diff --git a/detection-rules/2658_spam_explicit_google_drive_share.yml b/detection-rules/2658_spam_explicit_google_drive_share.yml
@@ -0,0 +1,17 @@
+name: "Spam: Sexually Explicit Google Drive Share"
+description: "Detects suspicious Google Drive Share which containing inappropriate content or suspicious patterns. The rule looks for reports from non-organizational domains that contain emojis or explicit keywords within the report."
+type: "rule"
+severity: "low"
+source: "type.inbound\n// \n//  Warning: This rule contains sexually explicit keywords\n// \nand sender.email.email == \"drive-shares-noreply@google.com\"\n// the invite is not from an $org_domain user\nand all(headers.reply_to,\n        .email.domain.domain not in $org_domains\n        and .email.email not in $recipient_emails\n        and .email.email not in $sender_emails\n)\n// the subject or the body contain sexually explicit keywords\nand any([subject.subject, body.current_thread.text],\n        // this regex should be kept in sync between the Google Group and the Looker Studio rules\n        regex.icontains(.,\n                        '(?:sex|horny|cock|fuck|\\bass\\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce|adult\\s*(?:\\w+\\s+){0,2}\\s*community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner)'\n        )\n)\n"
+attack_types:
+  - "Spam"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Free email provider"
+detection_methods:
+  - "Content analysis"
+  - "Sender analysis"
+id: "6f38aff8-7c16-5ed4-d3ea-e036bf032e5b"
+og_id: "3f951c06-ea85-5e35-8b1c-57cc4fd8996e"
+testing_pr: 2658
+testing_sha: a02e07c3d808a74f4e130b7761230e9c77738f16
diff --git a/detection-rules/2658_spam_google_group_explict_invite.yml b/detection-rules/2658_spam_google_group_explict_invite.yml
@@ -0,0 +1,17 @@
+name: "Spam: Sexually Explicit Google Group Invitation"
+description: "Detects suspicious Google Groups invitations containing inappropriate content or suspicious patterns. The rule looks for invites from non-organizational domains that contain random alphanumeric strings, explicit keywords, or suspicious call-to-action phrases in the group names or descriptions."
+type: "rule"
+severity: "low"
+source: "type.inbound\n// \n//  Warning: This rule contains sexually explicit keywords\n// \nand sender.email.email == \"noreply@groups.google.com\"\nand (\n  strings.istarts_with(subject.subject, 'Invitation to join ')\n  or strings.istarts_with(subject.subject, 'You have been added to ')\n  // the group name contains sexually explicit keywords\n  // this regex should be kept in sync between the Google Group, Google Drive Share, and Looker Studio rules\n  or regex.icontains(subject.subject,\n                     '(?:Invitation to join|You have been added to) .*(?:sex|horny|cock|fuck|\\bass\\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce|adult community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner)'\n  )\n)\n// the invite is not from an $org_domain user\nand not any($org_domains,\n            strings.icontains(body.current_thread.text,\n                              strings.concat('@',\n                                             .,\n                                             ' invited you to join the '\n                              )\n            )\n            or strings.icontains(body.current_thread.text,\n                                 strings.concat('@', ., ' added you to the ')\n            )\n)\nand (\n  // the group name contains 7 char sets at the start and end and must contain a number\n  regex.icontains(subject.subject,\n                  '(?:added to|to join) [A-Z0-9]{5,7} .*(?:[[:^ascii:]]|[[:^alpha:]]) [A-Z0-9]{5,7}$'\n  )\n  // calls to action in the group name\n  or regex.icontains(subject.subject,\n                     '(?:added to|to join) .*(join|(?:click|go|tap) here)'\n  )\n  // it contains an emoji in the group name\n  or regex.icontains(subject.subject,\n                     '(?:added to|to join) .*[\\x{1F300}-\\x{1F5FF}\\x{1F600}-\\x{1F64F}\\x{1F680}-\\x{1F6FF}\\x{1F700}-\\x{1F77F}\\x{1F780}-\\x{1F7FF}\\x{1F900}-\\x{1F9FF}\\x{2600}-\\x{26FF}\\x{2700}-\\x{27BF}\\x{2300}-\\x{23FF}]'\n  )\n  // the description of the group contains sexually explicit keywords\n  // this regex should be kept in sync between the Google Group and the Looker Studio rules\n  or regex.icontains(body.current_thread.text,\n                     '(?:about this group|message from).*(?:sex|horny|cock|fuck|\\bass\\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce|adult community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner).*https?://'\n  )\n  // the invitor is an email domain which contains 3 labels\n  or (\n    regex.icontains(body.current_thread.text,\n                    '\\n[^\\@]+@(?:[a-zA-Z0-9-]{1,255}\\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the)'\n    )\n    // where the group name contains \"lists.\"\n    and not regex.icontains(body.current_thread.text,\n                            '\\n[^\\@]+@(?:[a-zA-Z0-9-]{1,255}\\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the) [^\\@]+\\@lists\\.'\n    )\n  )\n)\n"
+attack_types:
+  - "Spam"
+tactics_and_techniques:
+  - "Free email provider"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Sender analysis"
+id: "7fbd71b3-1226-5018-6e59-7f9338e09e57"
+og_id: "4e0bec29-be9c-526f-ad56-824b4d87f55d"
+testing_pr: 2658
+testing_sha: a02e07c3d808a74f4e130b7761230e9c77738f16
diff --git a/detection-rules/2658_spam_google_looker_studio_report.yml b/detection-rules/2658_spam_google_looker_studio_report.yml
@@ -0,0 +1,17 @@
+name: "Spam: Sexually Explicit Looker Studio Report"
+description: "Detects suspicious Looker Studio Reports which containing inappropriate content or suspicious patterns. The rule looks for reports from non-organizational domains that contain emojis or explicit keywords within the report."
+type: "rule"
+severity: "low"
+source: "type.inbound\n// \n//  Warning: This rule contains sexually explicit keywords\n// \nand sender.email.email == \"looker-studio-noreply@google.com\"\n// the invite is not from an $org_domain user\nand all(headers.reply_to,\n        .email.domain.domain not in $org_domains\n        and .email.email not in $recipient_emails\n        and .email.email not in $sender_emails\n)\n// the subject or the body contain sexually explicit keywords\nand any([subject.subject, body.current_thread.text],\n        // this regex should be kept in sync between the Google Group, Google Drive Share, and Looker Studio rules\n        regex.icontains(.,\n                        '(?:sex|horny|cock|fuck|\\bass\\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce|adult\\s*(?:\\w+\\s+){0,2}\\s*community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner)'\n        )\n)\n"
+attack_types:
+  - "Spam"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Free email provider"
+detection_methods:
+  - "Content analysis"
+  - "Sender analysis"
+id: "45953c91-dbb1-5563-374b-41580a1d5723"
+og_id: "f1e649cd-63c0-5df4-86c9-72adc4eef0f0"
+testing_pr: 2658
+testing_sha: a02e07c3d808a74f4e130b7761230e9c77738f16
