Attachment: Small text file with link containing recipient email address

calendar May 14, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Attach text file is less than 1000 bytes and contains a recipients email address. Seen in the wild carrying credential phishing links.

Sublime rule (View on GitHub)

 1name: "Attachment: Small text file with link containing recipient email address"
 2description: "Attach text file is less than 1000 bytes and contains a recipients email address. Seen in the wild carrying credential phishing links."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .content_type in~ ("text/plain", "text")
 9          // negate calendar invites
10          and not (
11            .file_extension == "ics"
12            or .content_type in ("application/ics", "text/calendar")
13          )
14          and any(file.explode(.),
15                  .size < 1000
16                  and any(.scan.url.urls,
17                          any(recipients.to,
18                              strings.icontains(..url, .email.email)
19                              and .email.domain.valid
20                          )
21                  )
22          )
23  )  
24tags:
25 - "Attack surface reduction"
26attack_types:
27  - "Credential Phishing"
28tactics_and_techniques:
29  - "Evasion"
30  - "Social engineering"
31detection_methods:
32  - "File analysis"
33  - "URL analysis"
34id: "c0472c9d-1e06-5177-90b1-f57620944ff5"

Related rules

to-top