Skip to content

Create abuse_google_drive_exessive_cc.yml #3692

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
IndiaAce wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Create abuse_google_drive_exessive_cc.yml #3692

IndiaAce wants to merge 2 commits into from

Conversation

@IndiaAce
Copy link
Member

@IndiaAce IndiaAce commented Dec 17, 2025

Description

From a runner. Wanted to test this out as a rule... looking for any mail from drive email addresses that contain an excessive amount of CCs that aren't all the same. With cred theft intent.

Associated samples

Associated hunts

  • Hunt 1
    More hunts can be found in the notion doc.

@IndiaAce IndiaAce requested a review from a team as a code owner December 17, 2025 18:17
IndiaAce
IndiaAce commented Dec 17, 2025
View reviewed changes
detection-rules/abuse_google_drive_exessive_cc.yml
'[email protected]',
'[email protected]',
)
// length of cc'd
Copy link
Member Author

@IndiaAce IndiaAce Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// length of cc'd
// length of cc'd recipients is > 30, not all the same, or unidsclosed recipients

IndiaAce
IndiaAce commented Dec 17, 2025
View reviewed changes
detection-rules/abuse_google_drive_exessive_cc.yml
length(recipients.cc) > 30
and not length(distinct(recipients.cc, .email.domain.root_domain)) == 1
)
or all(recipients.to, .display_name == "Undisclosed recipients")
Copy link
Member Author

@IndiaAce IndiaAce Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a better way to do this where you by checking for valid recipient domains... will look into adding that check.

@github-actions github-actions bot added the in-test-rules PR is in our testing suite to collect telemetry label Dec 17, 2025
github-actions bot added a commit that referenced this pull request Dec 17, 2025
@github-actions
[PR #3692] added rule: Service abuse: Google Drive shares with excess…
2b771c8 
…ive CC recipients and credential theft language
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

in-test-rules PR is in our testing suite to collect telemetry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@IndiaAce