Mismatched links: Free file share with urgent language
Detects messages from first-time senders containing free file sharing links, multiple urgent language indicators, and mismatched link text.
Sublime rule (View on GitHub)
1name: "Mismatched links: Free file share with urgent language"
2description: "Detects messages from first-time senders containing free file sharing links, multiple urgent language indicators, and mismatched link text."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7
8 // Unsolicited + new sender
9 and (
10 profile.by_sender_email().prevalence in ("new", "outlier")
11 and not profile.by_sender_email().solicited
12 )
13 and not profile.by_sender_email().any_messages_benign
14
15 // Free file share
16 and any(body.links, .href_url.domain.domain in $free_file_hosts)
17
18 // urgent language
19 and 3 of (
20 any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency"),
21 any(ml.nlu_classifier(subject.subject).entities, .name == "urgency"),
22 regex.icontains(body.current_thread.text,
23 'immediate|urgent|expire|suspend|action.{0,20}required|time.{0,10}sensitive|verify.{0,20}immediately|complete.{0,20}requested'
24 ),
25 regex.icontains(subject.subject,
26 'immediate|urgent|expire|suspend|action.{0,20}required|important.{0,20}announcement'
27 ),
28 regex.icontains(body.current_thread.text,
29 'deadline|expires?.{0,10}(today|soon)|act.{0,10}now|time.{0,10}running.{0,10}out|limited.{0,10}time'
30 )
31 )
32
33 // Mismatched link
34 and any(body.links,
35 .mismatched == true
36 and length(body.links) <= 3
37 and not .href_url.domain.root_domain in (
38 "mimecast.com",
39 "mimecastprotect.com"
40 )
41 )
42attack_types:
43 - "BEC/Fraud"
44 - "Callback Phishing"
45 - "Credential Phishing"
46 - "Extortion"
47 - "Malware/Ransomware"
48 - "Spam"
49tactics_and_techniques:
50 - "Free file host"
51 - "Social engineering"
52detection_methods:
53 - "Natural Language Understanding"
54 - "Sender analysis"
55 - "URL analysis"
56id: "478334c8-66be-5cc2-8bd5-3422cc8d2e9d"