File sharing link with a suspicious subject

calendar Sep 7, 2023  ยท
Share on: linkedin copy

A file sharing link in the body with a common BEC subject. This rule could be expanded to include additional BEC subjects.

Sublime rule (View on GitHub)

 1name: "File sharing link with a suspicious subject"
 2description: |
 3  A file sharing link in the body with a common BEC subject. This rule could be expanded to 
 4  include additional BEC subjects.  
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9  and sender.email.domain.root_domain != 'google.com'
10  and any(body.links, 
11    .href_url.domain.domain in $free_file_hosts
12    and not (
13        // negating Google Forms links
14        .href_url.domain.domain == "docs.google.com"
15        and strings.istarts_with(.href_url.path, "/forms/")
16    )
17  )
18  and regex.icontains(subject.subject, 'immediately', 'urgent')
19  and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
20  and (
21    (
22      sender.email.domain.root_domain in $free_email_providers
23      and sender.email.email not in $recipient_emails
24    )
25    or (
26      sender.email.domain.root_domain not in $free_email_providers
27      and sender.email.domain.domain not in $recipient_domains
28    )
29  )  
30attack_types:
31  - "BEC/Fraud"
32tactics_and_techniques:
33  - "Free file host"
34  - "Social engineering"
35detection_methods:
36  - "Header analysis"
37  - "Sender analysis"
38  - "URL analysis"
39id: "a306e2a6-addc-5e26-9be1-c146f37fd7f2"
to-top