heroui logo

Brand impersonation: Google Drive fake file share

Sublime Rules

View Source
Summary
This detection rule is aimed at identifying emails that impersonate Google Drive file sharing notifications. The logic checks for various indicators within the email's content, such as specific phrases traditionally associated with file-sharing notifications ('shared a file with you', 'invited you to review', etc.), presence of certain link characteristics, and references to Google within the subject line or body of the email. The rule also analyzes the sender's domain, ensuring it does not match core Google domains and is not a trusted sender unless proven to be sending legitimate emails. It ensures that the links in the message do not lead to a recognized Google domain, thus flagging potential fraudulent emails designed to harvest user credentials or distribute malware. Various languages are considered in the checks for impersonation messages, enhancing its capability to detect phishing attempts targeting a wider audience. Other techniques, including computer vision for logo detection and header analysis, further strengthen the identification of potential threats.
Categories
  • Web
  • Cloud
  • Identity Management
Data Sources
  • User Account
  • Process
  • Application Log
  • Network Traffic
Created: 2025-02-21