Catbox.moe link from untrusted source
Detects messages containing links to catbox.moe file hosting service from senders who either aren't in highly trusted domains or failed DMARC authentication
Sublime rule (View on GitHub)
1name: "Catbox.moe link from untrusted source"
2description: "Detects messages containing links to catbox.moe file hosting service from senders who either aren't in highly trusted domains or failed DMARC authentication"
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(body.links,
8 .href_url.domain.root_domain == "catbox.moe"
9 and not strings.iends_with(.href_url.path, ".json")
10 )
11 // negate highly trusted sender domains unless they fail DMARC authentication
12 and (
13 (
14 sender.email.domain.root_domain in $high_trust_sender_root_domains
15 and not coalesce(headers.auth_summary.dmarc.pass, false)
16 )
17 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
18 )
19tags:
20 - "Attack surface reduction"
21attack_types:
22 - "Malware/Ransomware"
23tactics_and_techniques:
24 - "Free file host"
25 - "Social engineering"
26detection_methods:
27 - "Header analysis"
28 - "Sender analysis"
29 - "URL analysis"
30id: "d6041a8b-55a9-5016-b214-ba021f4eba64"