Skip to content

Create link_published_google_doc.yml #2680

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Create link_published_google_doc.yml #2680

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
6baa2a2
Create link_published_google_doc.yml
aidenmitchell May 6, 2025
f71530e
Auto add rule ID
May 6, 2025
a2554b1
Update link_published_google_doc.yml
aidenmitchell May 7, 2025
092d1c8
Update link_published_google_doc.yml
aidenmitchell May 7, 2025
67ff498
Update link_published_google_doc.yml
aidenmitchell May 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
90 changes: 90 additions & 0 deletions detection-rules/link_published_google_doc.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
name: "Link: Published Google Drive Document With Suspicious Link"
description: "A Google Docs document contains suspicious text and links that redirect to either newly registered domains, free subdomain hosts, URL shorteners, or domains with suspicious TLDs."
type: "rule"
severity: "high"
source: |
type.inbound
and not sender.email.domain.domain == "google.com"
and length(distinct(filter(body.links,
.href_url.domain.domain == "docs.google.com"
),
.href_url.url
)
) < 3
and any(filter(body.links,
.href_url.domain.domain == "docs.google.com"
and (
any(ml.nlu_classifier(.display_text).entities,
.name == "request"
)
or any(ml.nlu_classifier(.display_text).intents,
.name == "cred_theft"
)
)
),
strings.istarts_with(ml.link_analysis(., mode="aggressive").final_dom.display_text,
"Published using Google Docs"
)
// filter down to links in the document where the display text is suspicious
and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
any(ml.nlu_classifier(.display_text).entities,
.name == "request"
)
or any(ml.nlu_classifier(.display_text).intents,
.name == "cred_theft"
)
),
(
// any of those links domains are new
network.whois(.href_url.domain).days_old < 30

// go to free subdomains hosts
or (
.href_url.domain.root_domain in $free_subdomain_hosts
// where there is a subdomain
and .href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
)
// go to url shortners
or .href_url.domain.root_domain in $url_shorteners
or .href_url.domain.domain in $url_shorteners

// go to suspicious TLDs
or .href_url.domain.tld in $suspicious_tlds

// check for a second stage website that contains a suspicious link
// in other words, this LA call is inspecting links in sites on the Google Doc page
// we have seen Google Docs -> Google Slides (which this call is inspecting) -> malicious site
or any(ml.link_analysis(.href_url).final_dom.links,
.href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.domain in $free_file_hosts
or (
.href_url.domain.root_domain in $free_subdomain_hosts
// where there is a subdomain
and .href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
)
or .href_url.domain.root_domain in $url_shorteners
or .href_url.domain.domain in $url_shorteners

// go to suspicious TLDs
or .href_url.domain.tld in $suspicious_tlds
)
)
)
)
and not (
length(headers.reply_to) == 1
and all(headers.reply_to, .email.domain.domain in $org_domains)
)

attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Free file host"
- "Social engineering"
detection_methods:
- "Natural Language Understanding"
- "URL analysis"
- "Whois"
id: "031e1ff8-3d7d-5bbe-8e61-f5f3d19e9760"
Loading