File sharing link from suspicious sender domain

calendar Aug 27, 2025 · Attack surface reduction  ·
Share on: linkedin copy

A file sharing link in the body sent from a suspicious sender domain.

Sublime rule (View on GitHub)

 1name: "File sharing link from suspicious sender domain"
 2description: |
 3    A file sharing link in the body sent from a suspicious sender domain.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and any(body.links,
 9          (
10            .href_url.domain.domain in $free_file_hosts
11            or .href_url.domain.root_domain in $free_file_hosts
12          )
13          // remove free_file_hosts used to host images as links
14          and not any($file_types_images,
15                      strings.iends_with(..href_url.url, strings.concat('.', .))
16          )
17  )
18  and sender.email.domain.tld in $suspicious_tlds
19  and not sender.email.domain.root_domain in ("notion.so", "cribl.cloud")
20  and (
21    not profile.by_sender().solicited
22    or (
23      profile.by_sender().any_messages_malicious_or_spam
24      and not profile.by_sender().any_messages_benign
25    )
26  )  
27
28tags:
29  - "Attack surface reduction"
30attack_types:
31  - "Credential Phishing"
32  - "Malware/Ransomware"
33tactics_and_techniques:
34  - "Free file host"
35detection_methods:
36  - "Sender analysis"
37  - "URL analysis"
38id: "95f20354-3091-537e-9fe0-80ea8b64913b"

Related rules

to-top