sublime-rules icon indicating copy to clipboard operation
sublime-rules copied to clipboard

Published 20 hours ago verified publisher icon sublime-security

Create impersonation_google_workspace.yml

Open brycampbell opened this issue 3 weeks ago • 1 comments

Description

This rule is designed to detect the impersonation of Google Workspace, where the sample relies on logic inside the email including correct imagery, and excludes the forwaded contents (to spam@ or IT helpdesks)

Associated hunts

This hunt appears to be a specific limited campaign, so this rule will require additional coverage if its limited to this 2 day campaign

Screenshot (insights)

This image excludes sensitive recipients.

image

brycampbell avatar Nov 05 '25 15:11 brycampbell

Here is a canonical of an interactive example:

17e01859-333e-4c3f-bafe-11a6e5635d67

brycampbell avatar Nov 05 '25 17:11 brycampbell