Truth Social infrastructure abuse via link redirect

calendar May 9, 2024  ยท
Share on: linkedin copy

Email contains a Truth Social link (links.truthsocial.com) but does not originate from a Truth Social domain. This is a known malicious tactic.

Sublime rule (View on GitHub)

 1name: "Truth Social infrastructure abuse via link redirect"
 2description: "Email contains a Truth Social link (links.truthsocial.com) but does not originate from a Truth Social domain. This is a known malicious tactic."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.links) < 10
 8  and any(body.links, .href_url.domain.domain == "links.truthsocial.com")
 9  and sender.email.domain.domain not in~ ('truthsocial.com')
10  and (
11    not profile.by_sender().solicited
12    or (
13      profile.by_sender().any_messages_malicious_or_spam
14      and not profile.by_sender().any_false_positives
15    )
16  )
17  // negate highly trusted sender domains unless they fail DMARC authentication
18  and (
19    (
20      sender.email.domain.root_domain in $high_trust_sender_root_domains
21      and not headers.auth_summary.dmarc.pass
22    )
23    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
24  )  
25
26attack_types:
27  - "Credential Phishing"
28  - "Malware/Ransomware"
29  - "Spam"
30tactics_and_techniques:
31  - "Evasion"
32  - "Impersonation: Brand"
33  - "Social engineering"
34detection_methods:
35  - "Content analysis"
36  - "Sender analysis"
37  - "URL analysis"
38id: "aaaa30a8-34f8-57c1-b374-ec7ea15a8dda"
to-top