New rule - Google Drive abuse: Credential phishing link (#1069)

Co-authored-by: ID Generator <[email protected]>

detection-rules/google_drive_abuse_credential_phishing.yml

@@ -0,0 +1,43 @@
+name: "Google Drive abuse: Credential phishing link"
+description: |
+  This rule detects legitimate Google Drive shares that link to files on Google Drive that host credential phishing content.
+
+  The file is usually a PDF that impersonates a legitimate brand, with credential theft language, and a button or link to an external site that steals login credentials.
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and sender.email.email in (
+    "[email protected]",
+    "[email protected]"
+  )
+  and any(body.links,
+          .href_url.domain.domain != "support.google.com"
+          and any(file.explode(beta.linkanalysis(.).screenshot),
+                  (
+                    any(ml.nlu_classifier(.scan.ocr.raw).intents,
+                        .name == "cred_theft"
+                        and .confidence in ("medium", "high")
+                    )
+                    or (
+                      length(ml.logo_detect(beta.linkanalysis(..).screenshot).brands
+                      ) > 0
+                      and beta.linkanalysis(..).credphish.disposition == "phishing"
+                    )
+                  )
+                  and not beta.linkanalysis(..).effective_url.domain.domain == "accounts.google.com"
+          )
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Free file host"
+  - "Impersonation: Brand"
+detection_methods:
+  - "Computer Vision"
+  - "Natural Language Understanding"
+  - "Optical Character Recognition"
+  - "Sender analysis"
+  - "URL analysis"
+  - "URL screenshot"
+id: "c74aece0-b8ac-53bc-861f-ac28a419a345"