-
Notifications
You must be signed in to change notification settings - Fork 51
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create spam_google_looker_studio_report.yml by @zoomequipd #2305 Source SHA 6dbd352 Triggered by @zoomequipd
- Loading branch information
Sublime Rule Testing Bot
committed
Jan 13, 2025
1 parent
a86ef56
commit 7d70f03
Showing
1 changed file
with
16 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| name: "Spam: Sexually Explict Looker Studio Report" | ||
| description: "Detects suspicious Looker Studio Reports which containing inappropriate content or suspicious patterns. The rule looks for reports from non-organizational domains that contain emojis or explicit keywords within the report." | ||
| type: "rule" | ||
| severity: "low" | ||
| source: "type.inbound\n// \n// Warning: This rule contains sexually explict keywords\n// \nand sender.email.email == \"[email protected]\"\n// the invite is not from an $org_domain user\nand all(headers.reply_to,\n .email.domain.domain not in $org_domains\n and .email.email not in $recipient_emails\n and .email.email not in $sender_emails\n)\nand (\n // it contains an emoji in the group name\n regex.icontains(subject.subject,\n '[\\x{1F300}-\\x{1F5FF}\\x{1F600}-\\x{1F64F}\\x{1F680}-\\x{1F6FF}\\x{1F700}-\\x{1F77F}\\x{1F780}-\\x{1F7FF}\\x{1F900}-\\x{1F9FF}\\x{2600}-\\x{26FF}\\x{2700}-\\x{27BF}\\x{2300}-\\x{23FF}] - '\n )\n // the description of the group contains sexually explict keywords\n // this regex should be kept in sync between the Google Group and the Looker Studio rules\n or regex.icontains(body.current_thread.text,\n 'View the\\s*(?:\\w+\\s+){0,3}\\s*report.*(?:sex|horny|cock|fuck|\\bass\\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce|adult\\s*(?:\\w+\\s+){0,2}\\s*community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner).*https?://'\n )\n)\n" | ||
| attack_types: | ||
| - "Spam" | ||
| tactics_and_techniques: | ||
| - "Social engineering" | ||
| - "Free email provider" | ||
| detection_methods: | ||
| - "Content analysis" | ||
| - "Sender analysis" | ||
| id: "f1e649cd-63c0-5df4-86c9-72adc4eef0f0" | ||
| testing_pr: 2305 | ||
| testing_sha: 6dbd352f972de34b08b20af846aff6fe04346e55 |