Suspicious Google Doc Links

Hunt Hypothesis

Attackers may be using compromised email accounts to distribute malicious Google Docs links as part of a phishing campaign leading to ransomware deployment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential initial compromise vectors before lateral movement and data exfiltration occur.

KQL Query

EmailUrlInfo 
| where Url startswith "https://docs.google.com/document/" 
| join (EmailEvents 
| where EmailDirection == "Inbound" 
| where InternetMessageId matches regex "\\<\\w{ 38,42} \\@") on NetworkMessageId

Analytic Rule Definition

id: 5b94411c-9311-48cd-8f7f-e35b42174e2d
name: Suspicious Google Doc Links
description: |
  Use this query to find emails with message IDs that resemble IDs used in known attack emails and contain a link a document in Google Docs. These behaviors have
  been observed leading to ransomware attacks.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailUrlInfo
  - EmailEvents
tactics:
- Initial access
- Ransomware
query: |
  EmailUrlInfo 
  | where Url startswith "https://docs.google.com/document/" 
  | join (EmailEvents 
  | where EmailDirection == "Inbound" 
  | where InternetMessageId matches regex "\\<\\w{ 38,42} \\@") on NetworkMessageId

Required Data Sources

Sentinel Table	Notes
`EmailEvents`	Ensure this data connector is enabled
`EmailUrlInfo`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Initial access
Tactic: Ransomware

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Ransomware/Suspicious Google Doc Links.yaml)

False Positive Guidance

Scenario: Legitimate Google Docs Link Shared in Team Collaboration
Description: A team member shares a legitimate Google Docs link via email as part of a collaborative project.
Filter/Exclusion: body contains "shared with you" AND subject contains "Project Update" AND from contains "[email protected]"
Scenario: Scheduled Job Generating Google Docs Reports
Description: An automated job runs nightly to generate and email a Google Docs report to stakeholders.
Filter/Exclusion: header received_date > now() - 1d AND from contains "[email protected]" AND subject contains "Daily Report"
Scenario: Admin Task to Distribute Training Materials via Google Docs
Description: An admin sends out a Google Docs link as part of a security training module to all employees.
Filter/Exclusion: from contains "[email protected]" AND subject contains "Security Training Module" AND body contains "training material"
Scenario: Internal Tool Used for Document Collaboration
Description: A company’s internal tool (e.g., Microsoft Teams or Slack) automatically embeds a Google Docs link for real-time collaboration.
Filter/Exclusion: header received_from contains "teams.microsoft.com" OR header received_from contains "slack.com"
Scenario: User Shares a Google Doc Link via Email for Internal Review
Description: A user sends a Google Docs link to a colleague for internal review, which is a common practice in some departments.
Filter/Exclusion: from contains "[email protected]" AND to contains "[email protected]" AND subject contains "Review Request"