File sharing link from suspicious sender domain

calendar Dec 15, 2023 · Attack surface reduction  ·
Share on: linkedin copy

A file sharing link in the body sent from a suspicious sender domain.

Sublime rule (View on GitHub)

 1name: "File sharing link from suspicious sender domain"
 2description: |
 3    A file sharing link in the body sent from a suspicious sender domain.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and any(body.links,
 9          .href_url.domain.domain in $free_file_hosts
10          or .href_url.domain.root_domain in $free_file_hosts
11  )
12  and sender.email.domain.tld in $suspicious_tlds
13  and (
14    not profile.by_sender().solicited
15    or (
16      profile.by_sender().any_messages_malicious_or_spam
17      and not profile.by_sender().any_false_positives
18    )
19  )  
20
21tags:
22  - "Attack surface reduction"
23attack_types:
24  - "Credential Phishing"
25  - "Malware/Ransomware"
26tactics_and_techniques:
27  - "Free file host"
28detection_methods:
29  - "Sender analysis"
30  - "URL analysis"
31id: "95f20354-3091-537e-9fe0-80ea8b64913b"

Related rules

to-top