Catbox.moe link from untrusted source

Detects messages containing links to catbox.moe file hosting service from senders who either aren't in highly trusted domains or failed DMARC authentication

Sublime rule (View on GitHub)

 1name: "Catbox.moe link from untrusted source"
 2description: "Detects messages containing links to catbox.moe file hosting service from senders who either aren't in highly trusted domains or failed DMARC authentication"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          .href_url.domain.root_domain == "catbox.moe"
 9          and not strings.iends_with(.href_url.path, ".json")
10  )
11  // negate highly trusted sender domains unless they fail DMARC authentication
12  and (
13    (
14      sender.email.domain.root_domain in $high_trust_sender_root_domains
15      and not coalesce(headers.auth_summary.dmarc.pass, false)
16    )
17    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
18  )  
19tags:
20 - "Attack surface reduction"
21attack_types:
22  - "Malware/Ransomware"
23tactics_and_techniques:
24  - "Free file host"
25  - "Social engineering"
26detection_methods:
27  - "Header analysis"
28  - "Sender analysis"
29  - "URL analysis"
30id: "d6041a8b-55a9-5016-b214-ba021f4eba64"

Related rules

to-top