Attachment: EML file with IPFS links
Attached EML uses engaging language and IPFS links were detected in the EML file. IPFS has been recently observed hosting phishing sites.
Sublime rule (View on GitHub)
1name: "Attachment: EML file with IPFS links"
2description: |
3 Attached EML uses engaging language and IPFS links were detected in the EML file. IPFS has been recently observed hosting phishing sites.
4references:
5 - "https://docs.ipfs.tech/how-to/address-ipfs-on-web/"
6 - "https://securelist.com/ipfs-phishing/109158/"
7type: "rule"
8severity: "medium"
9source: |
10 type.inbound
11 and any(attachments,
12 .content_type == "message/rfc822"
13 and any(file.explode(.),
14 any(.scan.url.urls,
15 strings.icontains(ml.link_analysis(.).effective_url.url,
16 'ipfs'
17 )
18 or (
19 regex.icontains(ml.link_analysis(.).effective_url.path,
20 '[\.-/]ipfs|ipfs[\.-/]'
21 )
22 and ml.link_analysis(.).effective_url.domain.domain not in $org_domains
23 and (
24 (
25 // don't include high rep domains
26 ml.link_analysis(.).effective_url.domain.domain not in $tranco_1m
27 and ml.link_analysis(.).effective_url.domain.domain not in $umbrella_1m
28 )
29 // if it's in Tranco or Umbrella, still include it if it's one of these
30 or ml.link_analysis(.).effective_url.domain.domain in $free_file_hosts
31 or ml.link_analysis(.).effective_url.domain.root_domain in $free_file_hosts
32 or ml.link_analysis(.).effective_url.domain.root_domain in $free_subdomain_hosts
33 )
34 )
35 )
36 )
37 )
38
39attack_types:
40 - "Credential Phishing"
41tactics_and_techniques:
42 - "Evasion"
43 - "Free file host"
44 - "Free subdomain host"
45 - "IPFS"
46detection_methods:
47 - "File analysis"
48 - "URL analysis"
49id: "1fe9d7e7-892b-5b7f-a334-53b3fbddb9fe"