Link: Free file host links from suspicious support sender with credential theft language
Detects inbound messages from senders using the local part 'support' that contain a small number of links pointing exclusively to free file hosting services. The message contains NLU signals indicate credential theft intent related to file sharing or cloud services.
Sublime rule (View on GitHub)
1name: "Link: Free file host links from suspicious support sender with credential theft language"
2description: "Detects inbound messages from senders using the local part 'support' that contain a small number of links pointing exclusively to free file hosting services. The message contains NLU signals indicate credential theft intent related to file sharing or cloud services."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and sender.email.local_part == 'support'
8 and 1 < length(filter(body.current_thread.links,
9 not regex.icontains(.href_url.url,
10 '\.(pdf|doc|docx|csv|xls|xlsx|ppt|pptx)'
11 )
12 )
13 ) <= 5
14 and all(body.current_thread.links,
15 .href_url.domain.root_domain in $free_file_hosts
16 or .href_url.domain.domain in $free_file_hosts
17 )
18 and any(ml.nlu_classifier(body.current_thread.text).intents,
19 .name == 'cred_theft' and .confidence != 'low'
20 )
21 and any(ml.nlu_classifier(body.current_thread.text).topics,
22 .name == 'File Sharing and Cloud Services' and .confidence != 'low'
23 )
24 // negate highly trusted sender domains unless they fail DMARC authentication
25 and not (
26 sender.email.domain.root_domain in $high_trust_sender_root_domains
27 and coalesce(headers.auth_summary.dmarc.pass, false)
28 )
29attack_types:
30 - "Credential Phishing"
31tactics_and_techniques:
32 - "Free file host"
33 - "Social engineering"
34detection_methods:
35 - "Sender analysis"
36 - "URL analysis"
37 - "Natural Language Understanding"
38id: "816ad5de-e97c-5d8d-93bf-d0ed100d5607"