Link: Commonly Abused Web Service redirecting to ZIP file

 1name: "Link: Commonly Abused Web Service redirecting to ZIP file"
 2description: "Detects messages containing links from URL shorteners, free file hosts, or suspicious domains that redirect to ZIP file downloads, potentially indicating malware distribution."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and 0 < length(body.links) < 15
 8  and length(recipients.to) == 1
 9  and recipients.to[0].email.domain.valid
10  and any(body.links,
11          (
12            // root domain is commonly abused
13            .href_url.domain.root_domain in $url_shorteners
14            or .href_url.domain.root_domain in $free_file_hosts
15            or .href_url.domain.root_domain in $free_subdomain_hosts
16            or .href_url.domain.root_domain in $self_service_creation_platform_domains
17            or .href_url.domain.tld in $suspicious_tlds
18            // or somewhat recently reg'd domain
19            or network.whois(.href_url.domain).days_old < 30
20          )
21          // we DONT want the original link to end in zip
22          and not strings.iends_with(.href_url.url, '.zip')
23          // we DO want the effective (redirected) url to end in zip
24          and strings.iends_with(ml.link_analysis(.).effective_url.url, '.zip')
25  )  
26
27attack_types:
28  - "Malware/Ransomware"
29tactics_and_techniques:
30  - "Free file host"
31  - "Free subdomain host"
32  - "Open redirect"
33  - "Evasion"
34detection_methods:
35  - "URL analysis"
36  - "Whois"
37  - "Archive analysis"
38id: "a1132f52-101c-5675-baa2-fc14c49a2315"