Link: Apple App Store malicious ad manager themed apps from free email provider

calendar Oct 17, 2025  ·
Share on: linkedin copy

Detects messages containing Apple App Store links with sent from free email providers, indicating potential abuse of legitimate Apple services hosting malicious ad manager themed applications.

Sublime rule (View on GitHub)

 1name: "Link: Apple App Store malicious ad manager themed apps from free email provider"
 2description: "Detects messages containing Apple App Store links with sent from free email providers, indicating potential abuse of legitimate Apple services hosting malicious ad manager themed applications."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.current_thread.links,
 8          .href_url.domain.domain in ('apps.apple.com')
 9                  and regex.icount(.href_url.path,
10                                   '[/-](?:suite|ads?|manager?|campaigns?)'
11                  ) >= 2
12          )
13  and sender.email.domain.domain in $free_email_providers  
14
15attack_types:
16  - "Credential Phishing"
17  - "BEC/Fraud"
18  - "Malware/Ransomware"
19tactics_and_techniques:
20  - "Free email provider"
21  - "Social engineering"
22  - "Evasion"
23detection_methods:
24  - "Content analysis"
25  - "Sender analysis"
26  - "URL analysis"
27id: "9ce402c6-fa1a-5b6c-b45c-37dc7d52f65d"
to-top