Fake shipping notification with link to free file hosting

 1name: "Fake shipping notification with link to free file hosting"
 2description: |
 3    This rule detects spam emails impersonating FedEx, UPS, or USPS with links to free file hosting.
 4references:
 5  - "https://playground.sublimesecurity.com?id=64feb22a-03e8-4d8f-83f6-a828dc5e3540"
 6severity: "low"
 7type: "rule"
 8source: |
 9  type.inbound
10  and length(attachments) == 0
11  and (
12    regex.icontains(coalesce(body.html.inner_text, body.html.display_text),
13                    '\bf[ _]?e[ _]?d[ _]?e[ _]?x\b'
14    )
15    and sender.email.domain.domain != "fedex.com"
16    and headers.return_path.domain.domain != sender.email.domain.domain
17    and any(body.links, strings.contains(.display_text, "track"))
18  )
19  and any(body.links,
20          .href_url.domain.domain in $free_file_hosts
21          or .href_url.domain.root_domain in $free_file_hosts
22  )
23  and (
24    (
25      sender.email.domain.root_domain in $free_email_providers
26      and sender.email.email not in $sender_emails
27    )
28    or (
29      sender.email.domain.root_domain not in $free_email_providers
30      and sender.email.domain.root_domain not in $sender_domains
31    )
32    or sender.email.domain.valid == false
33  )  
34
35attack_types:
36  - "Spam"
37tactics_and_techniques:
38  - "Free file host"
39  - "Impersonation: Brand"
40  - "Social engineering"
41detection_methods:
42  - "Content analysis"
43  - "Header analysis"
44  - "Sender analysis"
45id: "6d3fe05e-8ee6-586e-a2c6-60488ecf347a"