Mismatched links: Free file share with urgent language

Detects messages from first-time senders containing free file sharing links, multiple urgent language indicators, and mismatched link text.

Sublime rule (View on GitHub)

 1name: "Mismatched links: Free file share with urgent language"
 2description: "Detects messages from first-time senders containing free file sharing links, multiple urgent language indicators, and mismatched link text."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // Unsolicited + new sender
 9  and (
10    profile.by_sender_email().prevalence in ("new", "outlier")
11    and not profile.by_sender_email().solicited
12  )
13  and not profile.by_sender_email().any_messages_benign
14  
15  // Free file share
16  and any(body.links, .href_url.domain.domain in $free_file_hosts)
17  
18  // urgent language
19  and 3 of (
20    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency"),
21    any(ml.nlu_classifier(subject.subject).entities, .name == "urgency"),
22    regex.icontains(body.current_thread.text,
23                    'immediate|urgent|expire|suspend|action.{0,20}required|time.{0,10}sensitive|verify.{0,20}immediately|complete.{0,20}requested'
24    ),
25    regex.icontains(subject.subject,
26                    'immediate|urgent|expire|suspend|action.{0,20}required|important.{0,20}announcement'
27    ),
28    regex.icontains(body.current_thread.text,
29                    'deadline|expires?.{0,10}(today|soon)|act.{0,10}now|time.{0,10}running.{0,10}out|limited.{0,10}time'
30    )
31  )
32  
33  // Mismatched link
34  and any(body.links,
35          .mismatched == true
36          and length(body.links) <= 3
37          and not .href_url.domain.root_domain in (
38            "mimecast.com",
39            "mimecastprotect.com"
40          )
41  )  
42attack_types:
43  - "BEC/Fraud"
44  - "Callback Phishing"
45  - "Credential Phishing"
46  - "Extortion"
47  - "Malware/Ransomware"
48  - "Spam"
49tactics_and_techniques:
50  - "Free file host"
51  - "Social engineering"
52detection_methods:
53  - "Natural Language Understanding"
54  - "Sender analysis"
55  - "URL analysis"
56id: "478334c8-66be-5cc2-8bd5-3422cc8d2e9d"
to-top