Twitter infrastructure abuse via link shortener
Email contains Twitter shortened link (t.co) but does not originate from a Twitter domain. This is a known malicious and spam tactic.
Sublime rule (View on GitHub)
1name: "Twitter infrastructure abuse via link shortener"
2description: "Email contains Twitter shortened link (t.co) but does not originate from a Twitter domain. This is a known malicious and spam tactic."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(body.links) < 10
8 and any(body.links, .href_url.domain.root_domain == "t.co")
9 and sender.email.domain.domain not in~ (
10 'twitter.com',
11 'x.com',
12 'twitter.discoursemail.com'
13 )
14 and (
15 not profile.by_sender().solicited
16 or (
17 profile.by_sender().any_messages_malicious_or_spam
18 and not profile.by_sender().any_false_positives
19 )
20 )
21 // negate highly trusted sender domains unless they fail DMARC authentication
22 and (
23 (
24 sender.email.domain.root_domain in $high_trust_sender_root_domains
25 and not headers.auth_summary.dmarc.pass
26 )
27 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
28 )
29
30tags:
31 - "Attack surface reduction"
32attack_types:
33 - "Credential Phishing"
34 - "Malware/Ransomware"
35 - "Spam"
36tactics_and_techniques:
37 - "Evasion"
38 - "Impersonation: Brand"
39 - "Social engineering"
40detection_methods:
41 - "Content analysis"
42 - "Sender analysis"
43 - "URL analysis"
44id: "99ca165e-086a-5dc0-aa75-82446f27955b"