Attachment: EML file with IPFS links

 1name: "Attachment: EML file with IPFS links"
 2description: |
 3    Attached EML uses engaging language and IPFS links were detected in the EML file.  IPFS has been recently observed hosting phishing sites.
 4references:
 5  - "https://docs.ipfs.tech/how-to/address-ipfs-on-web/"
 6  - "https://securelist.com/ipfs-phishing/109158/"
 7type: "rule"
 8severity: "medium"
 9source: |
10  type.inbound
11  and any(attachments,
12          .content_type == "message/rfc822"
13          and any(file.explode(.),
14                  any(.scan.url.urls,
15                      strings.icontains(beta.linkanalysis(.).effective_url.url, 'ipfs')
16                      or (
17                        regex.icontains(beta.linkanalysis(.).effective_url.path,
18                                        '[\.-/]ipfs|ipfs[\.-/]'
19                        )
20                        and beta.linkanalysis(.).effective_url.domain.domain not in $org_domains
21                        and (
22                          (
23                            // don't include high rep domains
24                            beta.linkanalysis(.).effective_url.domain.domain not in $tranco_1m
25                            and beta.linkanalysis(.).effective_url.domain.domain not in $umbrella_1m
26                          )
27                          // if it's in Tranco or Umbrella, still include it if it's one of these
28                          or beta.linkanalysis(.).effective_url.domain.domain in $free_file_hosts
29                          or beta.linkanalysis(.).effective_url.domain.root_domain in $free_subdomain_hosts
30                        )
31                      )
32                  )
33          )
34  )  
35attack_types:
36  - "Credential Phishing"
37tactics_and_techniques:
38  - "Evasion"
39  - "Free file host"
40  - "Free subdomain host"
41  - "IPFS"
42detection_methods:
43  - "File analysis"
44  - "URL analysis"
45id: "1fe9d7e7-892b-5b7f-a334-53b3fbddb9fe"