Attachment: Small text file with link containing recipient email address

 1name: "Attachment: Small text file with link containing recipient email address"
 2description: "Attach text file is less than 1000 bytes and contains a recipients email address. Seen in the wild carrying credential phishing links."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .content_type in~ ("text/plain", "text")
 9          // negate calendar invites
10          and not (
11                  .file_extension == "ics"
12                  or .content_type in ("application/ics", "text/calendar") 
13                  )
14          and any(file.explode(.),
15                  .size < 1000
16                  and any(.scan.url.urls,
17                          any(recipients.to,
18                              strings.icontains(..url, .email.email)
19                              and .email.domain.valid
20                          )
21                  )
22          )
23  )
24  and (
25    not profile.by_sender().solicited
26    or (
27      profile.by_sender().any_messages_malicious_or_spam
28      and not profile.by_sender().any_false_positives
29    )
30  )  
31tags:
32 - "Attack surface reduction"
33attack_types:
34  - "Credential Phishing"
35tactics_and_techniques:
36  - "Evasion"
37  - "Social engineering"
38detection_methods:
39  - "File analysis"
40  - "URL analysis"
41id: "c0472c9d-1e06-5177-90b1-f57620944ff5"