Attachment: RTF file with suspicious link
This rule detects RTF attachments directly attached or within an archive, containing an external link to a suspicious low reputation domain.
Sublime rule (View on GitHub)
1name: "Attachment: RTF file with suspicious link"
2description: "This rule detects RTF attachments directly attached or within an archive, containing an external link to a suspicious low reputation domain."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(attachments,
8 (
9 .file_extension in~ $file_extensions_common_archives
10 or .file_type == "rtf"
11 )
12 and any(file.explode(.),
13 .flavors.mime == 'text/rtf'
14 and any(.scan.url.urls,
15 .domain.valid
16 and .domain.subdomain is not null
17 and not (
18 strings.ends_with(.url, "jpeg")
19 or strings.ends_with(.url, "png")
20 )
21 and (
22 (
23 .domain.root_domain not in $tranco_1m
24 and .domain.root_domain not in $umbrella_1m
25 )
26 or (
27 .domain.root_domain in $free_file_hosts
28 or .domain.root_domain in $free_file_hosts
29 or .domain.root_domain in $free_subdomain_hosts
30 or .domain.root_domain in $url_shorteners
31 or .domain.root_domain in $social_landing_hosts
32 )
33 // or the url contains the recipient email and the root_domain is not in tranco
34 or (
35 any(recipients.to,
36 strings.icontains(..url, .email.email)
37 )
38 and (
39 .domain.root_domain not in $tranco_1m
40 and .domain.root_domain not in $umbrella_1m
41 )
42 )
43 )
44 )
45 )
46 )
47 and not profile.by_sender().solicited
48 and not profile.by_sender().any_messages_benign
49
50attack_types:
51 - "Credential Phishing"
52tactics_and_techniques:
53 - "Evasion"
54detection_methods:
55 - "Archive analysis"
56 - "File analysis"
57 - "Sender analysis"
58 - "URL analysis"
59id: "c848f9aa-6e2e-55ea-857e-9d040b22544f"