Attachment: RTF file with suspicious link
This rule detects RTF attachments directly attached or within an archive, containing an external link to a suspicious low reputation domain.
Sublime rule (View on GitHub)
1name: "Attachment: RTF file with suspicious link"
2description: "This rule detects RTF attachments directly attached or within an archive, containing an external link to a suspicious low reputation domain."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(attachments,
8 (
9 .file_extension in~ $file_extensions_common_archives
10 or .file_type == "rtf"
11 )
12 and any(file.explode(.),
13 .flavors.mime == 'text/rtf'
14 and any(.scan.url.urls,
15 .domain.valid
16 and .domain.subdomain is not null
17 and not (
18 strings.ends_with(.url, "jpeg")
19 or strings.ends_with(.url, "png")
20 )
21 and (
22 (
23 .domain.root_domain not in $tranco_1m
24 and .domain.root_domain not in $umbrella_1m
25 )
26 or (
27 .domain.root_domain in $free_file_hosts
28 or .domain.root_domain in $free_file_hosts
29 or .domain.root_domain in $free_subdomain_hosts
30 or .domain.root_domain in $url_shorteners
31 )
32 // or the url contains the recipient email and the root_domain is not in tranco
33 or (
34 any(recipients.to,
35 strings.icontains(..url, .email.email)
36 )
37 and (
38 .domain.root_domain not in $tranco_1m
39 and .domain.root_domain not in $umbrella_1m
40 )
41 )
42 )
43 )
44 )
45 )
46 and not profile.by_sender().solicited
47 and not profile.by_sender().any_false_positives
48
49attack_types:
50 - "Credential Phishing"
51tactics_and_techniques:
52 - "Evasion"
53detection_methods:
54 - "Archive analysis"
55 - "File analysis"
56 - "Sender analysis"
57 - "URL analysis"
58id: "c848f9aa-6e2e-55ea-857e-9d040b22544f"