Fake shipping notification with link to free file hosting

 1name: "Fake shipping notification with link to free file hosting"
 2description: |
 3    This rule detects spam emails impersonating FedEx, UPS, or USPS with links to free file hosting.
 4references:
 5  - "https://playground.sublimesecurity.com?id=64feb22a-03e8-4d8f-83f6-a828dc5e3540"
 6severity: "low"
 7type: "rule"
 8source: |
 9  type.inbound
10  and length(attachments) == 0
11  and (
12    regex.icontains(coalesce(body.html.inner_text, body.html.display_text),
13                    '\bf[ _]?e[ _]?d[ _]?e[ _]?x\b'
14    )
15    and sender.email.domain.domain != "fedex.com"
16    and headers.return_path.domain.domain != sender.email.domain.domain
17    and any(body.links, strings.contains(.display_text, "track"))
18    and length(body.links) < 10
19  )
20  and any(body.links,
21          .href_url.domain.domain in $free_file_hosts
22          or .href_url.domain.root_domain in $free_file_hosts
23  )
24  and (
25    (
26      sender.email.domain.root_domain in $free_email_providers
27      and sender.email.email not in $sender_emails
28    )
29    or (
30      sender.email.domain.root_domain not in $free_email_providers
31      and sender.email.domain.root_domain not in $sender_domains
32    )
33    or sender.email.domain.valid == false
34  )  
35
36attack_types:
37  - "Spam"
38tactics_and_techniques:
39  - "Free file host"
40  - "Impersonation: Brand"
41  - "Social engineering"
42detection_methods:
43  - "Content analysis"
44  - "Header analysis"
45  - "Sender analysis"
46id: "6d3fe05e-8ee6-586e-a2c6-60488ecf347a"