diff --git a/detection-rules/spam_google_group_explict_invite.yml b/detection-rules/spam_google_group_explict_invite.yml new file mode 100644 index 00000000000..d123555fd8c --- /dev/null +++ b/detection-rules/spam_google_group_explict_invite.yml @@ -0,0 +1,67 @@ +name: "Spam: Sexually Explict Google Group Invitation" +description: "Detects suspicious Google Groups invitations containing inappropriate content or suspicious patterns. The rule looks for invites from non-organizational domains that contain random alphanumeric strings, explicit keywords, or suspicious call-to-action phrases in the group names or descriptions." +type: "rule" +severity: "low" +source: | + type.inbound + // + // Warning: This rule contains sexually explict keywords + // + and sender.email.email == "noreply@groups.google.com" + and ( + strings.istarts_with(subject.subject, 'Invitation to join ') + or strings.istarts_with(subject.subject, 'You have been added to ') + // the group name contains sexually explict keywords + or regex.icontains(subject.subject, + '(?:Invitation to join|You have been added to) .*(?:sex|horny|cock|fuck|\bass\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce)' + ) + ) + // the invite is not from an $org_domain user + and not any($org_domains, + strings.icontains(body.current_thread.text, + strings.concat('@', + ., + ' invited you to join the ' + ) + ) + or strings.icontains(body.current_thread.text, + strings.concat('@', ., ' added you to the ') + ) + ) + and ( + // the group name contains 7 char sets at the start and end and must contain a number + regex.icontains(subject.subject, + '(?:added to|to join) [A-Z0-9]{5,7} .*(?:[[:^ascii:]]|[[:^alpha:]]) [A-Z0-9]{5,7}$' + ) + // calls to action in the group name + or regex.icontains(subject.subject, + '(?:added to|to join) .*(join|(?:click|go|tap) here)' + ) + // it contains an emoji in the group name + or regex.icontains(subject.subject, + '(?:added to|to join) .*[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]' + ) + // the description of the group contains sexually explict keywords + or regex.icontains(body.current_thread.text, + '(?:about this group|message from).*(?:(sex|horny|cock|fuck|\bass\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce)).*https?://' + ) + // the invitor is an email domain which contains 3 labels + or ( + regex.icontains(body.current_thread.text, + '\n[^\@]+@(?:[a-zA-Z0-9-]{1,255}\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the)' + ) + // where the group name contains "lists." + and not regex.icontains(body.current_thread.text, + '\n[^\@]+@(?:[a-zA-Z0-9-]{1,255}\.){2}[a-zA-Z0-9-]{2,255} (?:added you to the|invited you to join the) [^\@]+\@lists\.' + ) + ) + ) +attack_types: + - "Spam" +tactics_and_techniques: + - "Free email provider" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Sender analysis" +id: "4e0bec29-be9c-526f-ad56-824b4d87f55d"