Techniques
Sample rules
Gsuite Email With Known Abuse Web Service Link
- source: splunk
- technicques:
- T1566.001
- T1566
Description
The following analytic detects emails in Gsuite containing links to known abuse web services such as Pastebin, Telegram, and Discord. It leverages Gsuite Gmail logs to identify emails with these specific domains in their links. This activity is significant because these services are commonly used by attackers to deliver malicious payloads. If confirmed malicious, this could lead to the delivery of malware, phishing attacks, or other harmful activities, potentially compromising sensitive information or systems within the organization.
Detection logic
`gsuite_gmail` "link_domain{}" IN ("*pastebin.com*", "*discord*", "*telegram*","t.me")
| rex field=source.from_header_address "[^@]+@(?<source_domain>[^@]+)"
| rex field=destination{}.address "[^@]+@(?<dest_domain>[^@]+)"
| where not source_domain="internal_test_email.com" and dest_domain="internal_test_email.com"
| eval phase="plan"
| eval severity="low"
|stats values(link_domain{}) as link_domains min(_time) as firstTime max(_time) as lastTime count by is_spam source.address source.from_header_address subject destination{}.address phase severity
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `gsuite_email_with_known_abuse_web_service_link_filter`