File sharing link from suspicious sender domain

 1name: "File sharing link from suspicious sender domain"
 2description: |
 3    A file sharing link in the body sent from a suspicious sender domain.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and any(body.links,
 9          (
10            .href_url.domain.domain in $free_file_hosts
11            or .href_url.domain.root_domain in $free_file_hosts
12          )
13          and not .href_url.domain.domain in $tenant_domains
14          // remove free_file_hosts used to host images as links
15          and not any($file_types_images,
16                      strings.iends_with(..href_url.url, strings.concat('.', .))
17          )
18  )
19  and sender.email.domain.tld in $suspicious_tlds
20  and not sender.email.domain.root_domain in ("notion.so", "cribl.cloud")
21  and (
22    not profile.by_sender().solicited
23    or (
24      profile.by_sender().any_messages_malicious_or_spam
25      and not profile.by_sender().any_messages_benign
26    )
27  )  
28
29tags:
30  - "Attack surface reduction"
31attack_types:
32  - "Credential Phishing"
33  - "Malware/Ransomware"
34tactics_and_techniques:
35  - "Free file host"
36detection_methods:
37  - "Sender analysis"
38  - "URL analysis"
39id: "95f20354-3091-537e-9fe0-80ea8b64913b"