Good afternoon.
I'm seeing an increase in spam/phishing that is utilizing Google Docs. I
see a rule that seems to be intended to flag certain Google Docs related
URLs, but not the ones I'm seeing.
72_active.cf:uri __URI_GOOGLE_DOC
m,^https?://docs\.google\.com/(?:[^/]+/)*view(?:form)?\?(?:id|formkey)=,i
The URLs I'm seeing don't match that regex. They all appear to have the
following prefix:
https://docs.google.com/document/d/e/
I think it might be useful to update the pattern to something like the
following, so it could be used by other meta rules, but thought I'd check
with the community first:
m,^https?://docs\.google\.com/(?:[^/]+/)*(?:view(?:form)?\?(?:id|formkey)=|document),i
Thoughts or opinions?
I'm seeing an increase in spam/phishing that is utilizing Google Docs. I
see a rule that seems to be intended to flag certain Google Docs related
URLs, but not the ones I'm seeing.
72_active.cf:uri __URI_GOOGLE_DOC
m,^https?://docs\.google\.com/(?:[^/]+/)*view(?:form)?\?(?:id|formkey)=,i
The URLs I'm seeing don't match that regex. They all appear to have the
following prefix:
https://docs.google.com/document/d/e/
I think it might be useful to update the pattern to something like the
following, so it could be used by other meta rules, but thought I'd check
with the community first:
m,^https?://docs\.google\.com/(?:[^/]+/)*(?:view(?:form)?\?(?:id|formkey)=|document),i
Thoughts or opinions?