File sharing link with a suspicious subject

calendar Apr 23, 2024  ยท
Share on: linkedin copy

A file sharing link in the body with a common BEC subject. This rule could be expanded to include additional BEC subjects.

Sublime rule (View on GitHub)

 1name: "File sharing link with a suspicious subject"
 2description: |
 3  A file sharing link in the body with a common BEC subject. This rule could be expanded to 
 4  include additional BEC subjects.  
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9  and sender.email.domain.root_domain != 'google.com'
10  and not (
11    sender.email.domain.root_domain == "dropbox.com"
12    and headers.auth_summary.dmarc.pass
13  )
14  and any(body.links,
15          (
16            .href_url.domain.domain in $free_file_hosts
17            or .href_url.domain.root_domain in $free_file_hosts
18          )
19          and not (
20            // negating Google Forms links
21            .href_url.domain.domain == "docs.google.com"
22            and strings.istarts_with(.href_url.path, "/forms/")
23          )
24  )
25  and regex.icontains(subject.subject, 'immediately', 'urgent')
26  and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
27  and (
28    not profile.by_sender().solicited
29    or (
30      profile.by_sender().any_messages_malicious_or_spam
31      and not profile.by_sender().any_false_positives
32    )
33  )  
34
35
36attack_types:
37  - "BEC/Fraud"
38tactics_and_techniques:
39  - "Free file host"
40  - "Social engineering"
41detection_methods:
42  - "Header analysis"
43  - "Sender analysis"
44  - "URL analysis"
45id: "a306e2a6-addc-5e26-9be1-c146f37fd7f2"
to-top