Attachment: RTF file with suspicious link

This rule detects RTF attachments directly attached or within an archive, containing an external link to a suspicious low reputation domain.

Sublime rule (View on GitHub)

 1name: "Attachment: RTF file with suspicious link"
 2description: "This rule detects RTF attachments directly attached or within an archive, containing an external link to a suspicious low reputation domain."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (
 9            .file_extension in~ $file_extensions_common_archives
10            or .file_type == "rtf"
11          )
12          and any(file.explode(.),
13                  .flavors.mime == 'text/rtf'
14                  and any(.scan.url.urls,
15                          .domain.valid
16                          and .domain.subdomain is not null
17                          and not (
18                            strings.ends_with(.url, "jpeg")
19                            or strings.ends_with(.url, "png")
20                          )
21                          and (
22                            (
23                              .domain.root_domain not in $tranco_1m
24                              and .domain.root_domain not in $umbrella_1m
25                            )
26                            or (
27                              .domain.root_domain in $free_file_hosts
28                              or .domain.root_domain in $free_file_hosts
29                              or .domain.root_domain in $free_subdomain_hosts
30                              or .domain.root_domain in $url_shorteners
31                              or .domain.root_domain in $social_landing_hosts
32                            )
33                            // or the url contains the recipient email and the root_domain is not in tranco
34                            or (
35                              any(recipients.to,
36                                  strings.icontains(..url, .email.email)
37                              )
38                              and (
39                                .domain.root_domain not in $tranco_1m
40                                and .domain.root_domain not in $umbrella_1m
41                              )
42                            )
43                          )
44                  )
45          )
46  )
47  and not profile.by_sender().solicited
48  and not profile.by_sender().any_messages_benign  
49
50attack_types:
51  - "Credential Phishing"
52tactics_and_techniques:
53  - "Evasion"
54detection_methods:
55  - "Archive analysis"
56  - "File analysis"
57  - "Sender analysis"
58  - "URL analysis"
59id: "c848f9aa-6e2e-55ea-857e-9d040b22544f"
to-top