File sharing link with a suspicious subject

calendar Feb 17, 2026  ยท
Share on: linkedin copy

A file sharing link in the body with a common BEC subject. This rule could be expanded to include additional BEC subjects.

Sublime rule (View on GitHub)

 1name: "File sharing link with a suspicious subject"
 2description: |
 3  A file sharing link in the body with a common BEC subject. This rule could be expanded to 
 4  include additional BEC subjects.  
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9  and sender.email.domain.root_domain != 'google.com'
10  and not (
11    sender.email.domain.root_domain == "dropbox.com"
12    and headers.auth_summary.dmarc.pass
13  )
14  and any(body.links,
15          (
16            .href_url.domain.domain in $free_file_hosts
17            or .href_url.domain.root_domain in $free_file_hosts
18          )
19          and not (
20            // negating Google Forms links
21            .href_url.domain.domain == "docs.google.com"
22            and strings.istarts_with(.href_url.path, "/forms/")
23          )
24          and not .href_url.domain.domain in $tenant_domains
25  )
26  and regex.icontains(subject.subject, 'immediately', 'urgent')
27  and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
28  and (
29    not profile.by_sender().solicited
30    or (
31      profile.by_sender().any_messages_malicious_or_spam
32      and not profile.by_sender().any_messages_benign
33    )
34  )  
35attack_types:
36  - "BEC/Fraud"
37tactics_and_techniques:
38  - "Free file host"
39  - "Social engineering"
40detection_methods:
41  - "Header analysis"
42  - "Sender analysis"
43  - "URL analysis"
44id: "a306e2a6-addc-5e26-9be1-c146f37fd7f2"
to-top