Skip to content

Create google classroom spoof alert #3094

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Sep 2, 2025
Merged

Create google classroom spoof alert #3094

merged 8 commits into from
Sep 2, 2025

Conversation

IndiaAce
Copy link
Member

@IndiaAce IndiaAce commented Aug 18, 2025
edited
Loading

Description

From a runner, creating coverage for google classroom spoofing. Similar to Zoom Docs abuse.

Associated samples

Associated hunts

@IndiaAce IndiaAce requested a review from a team as a code owner August 18, 2025 15:03
@github-actions github-actions bot added the in-test-rules PR is in our testing suite to collect telemetry label Aug 18, 2025
github-actions bot added a commit that referenced this pull request Aug 18, 2025
@github-actions
[PR #3094] changed rule: Google Classroom Spoofing With WhatsApp Cont…
b2edba4 
…act Information
github-actions bot added a commit that referenced this pull request Aug 21, 2025
@github-actions
[PR #3094] Delete detection rule
1f30c3e
github-actions bot added a commit that referenced this pull request Aug 21, 2025
@github-actions
[PR #3094] changed rule: Google Classroom Spoofing With WhatsApp Cont…
1ca6ab0 
…act Information
@MSAdministrator
Copy link
Contributor

The following was supplied by a community member in Slack. Here's the MQL they provided:

type.inbound
and sender.email.email == "no-reply@classroom.google.com"
and any(file.explode(beta.message_screenshot()),
        // WhatsApp number regex
        (
          regex.icontains(.scan.ocr.raw,
                          '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{3}',
                          '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{3}'
          )
          // phone number regex
          or regex.icontains(.scan.ocr.raw,
                             '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
                             '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
          )
        )
)

The thread is here

@IndiaAce
Copy link
Member Author

The following was supplied by a community member in Slack. Here's the MQL they provided:

type.inbound
and sender.email.email == "no-reply@classroom.google.com"
and any(file.explode(beta.message_screenshot()),
        // WhatsApp number regex
        (
          regex.icontains(.scan.ocr.raw,
                          '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{3}',
                          '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{3}'
          )
          // phone number regex
          or regex.icontains(.scan.ocr.raw,
                             '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
                             '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
          )
        )
)

The thread is here

Thanks for this! Updating rule to contain the provided logic as an or statement to expand coverage.

github-actions bot added a commit that referenced this pull request Aug 25, 2025
@github-actions
[PR #3094] modified rule: Google Classroom Spoofing With WhatsApp Con…
3bd4bd0 
…tact Information
github-actions bot added a commit that referenced this pull request Aug 25, 2025
@github-actions
[PR #3094] modified rule: Google Classroom Spoofing With WhatsApp Con…
0240b3d 
…tact Information
@IndiaAce
updating "or" logic for regex matching to be more specific. Looking f…
971c43e 
…or phone numbers in the screenshot of attachments, specifically that mention whatapp
github-actions bot added a commit that referenced this pull request Sep 1, 2025
@github-actions
[PR #3094] modified rule: Google Classroom Spoofing With WhatsApp Con…
be5a457 
…tact Information
github-actions bot added a commit that referenced this pull request Sep 1, 2025
@github-actions
[PR #3094] modified rule: Google Classroom Spoofing With WhatsApp Con…
32d0077 
…tact Information
@IndiaAce IndiaAce added the review-needed Indicates that a PR is waiting for review label Sep 2, 2025
@aidenmitchell aidenmitchell added this pull request to the merge queue Sep 2, 2025
Merged via the queue into sublime-security:main with commit e8148e1 Sep 2, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aidenmitchell aidenmitchell aidenmitchell approved these changes

Assignees
No one assigned
Labels
in-test-rules PR is in our testing suite to collect telemetry review-needed Indicates that a PR is waiting for review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@IndiaAce @MSAdministrator @aidenmitchell