Attachment: Calendar invite with suspicious link leading to an open redirect
Calendar invite contains a link to either a free file host or free subdomain host, and the resulting webpage contains another link to an open redirect.
Sublime rule (View on GitHub)
1name: "Attachment: Calendar invite with suspicious link leading to an open redirect"
2description: "Calendar invite contains a link to either a free file host or free subdomain host, and the resulting webpage contains another link to an open redirect."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(attachments,
8 (
9 .file_extension == "ics"
10 or .content_type in ("application/ics", "text/calendar")
11 )
12 and any(file.explode(.),
13 any(.scan.url.urls,
14 (
15 .domain.domain in $free_file_hosts
16 or (
17 .domain.root_domain in $free_subdomain_hosts
18 and .domain.subdomain is not null
19 and not (
20 strings.ends_with(.url, "jpeg")
21 or strings.ends_with(.url, "png")
22 )
23 and .domain.subdomain != "www"
24 )
25 )
26 and any(ml.link_analysis(.).final_dom.links,
27 any(.href_url.rewrite.encoders,
28 strings.icontains(., "open_redirect")
29 )
30 )
31 )
32 )
33 )
34 // negate highly trusted sender domains unless they fail DMARC authentication
35 and (
36 (
37 sender.email.domain.root_domain in $high_trust_sender_root_domains
38 and (
39 any(distinct(headers.hops, .authentication_results.dmarc is not null),
40 strings.ilike(.authentication_results.dmarc, "*fail")
41 )
42 )
43 )
44 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
45 )
46 and (
47 not profile.by_sender().solicited
48 or (
49 profile.by_sender().any_messages_malicious_or_spam
50 and not profile.by_sender().any_false_positives
51 )
52 )
53 and not profile.by_sender().any_false_positives
54
55attack_types:
56 - "Spam"
57tactics_and_techniques:
58 - "Free email provider"
59 - "Free file host"
60 - "Free subdomain host"
61 - "Open redirect"
62detection_methods:
63 - "Content analysis"
64 - "URL analysis"
65id: "5d6294c7-0b75-5722-851e-27015170bd42"