Link to auto-downloaded DMG in archive

A link in the body of the message downloads an archive containing a DMG file. The message is not from a common or trusted sender and is unsolicited.

Sublime rule (View on GitHub)

 1name: "Link to auto-downloaded DMG in archive"
 2description: "A link in the body of the message downloads an archive containing a DMG file. The message is not from a common or trusted sender and is unsolicited."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          any(beta.linkanalysis(.).files_downloaded,
 9              .file_extension in~ $file_extensions_common_archives
10              and any(file.explode(.), .file_extension == "dmg")
11          )
12  )
13  and (
14    (
15      profile.by_sender().prevalence != "common"
16      and not profile.by_sender().solicited
17    )
18    or (
19      profile.by_sender().any_messages_malicious_or_spam
20      and not profile.by_sender().any_false_positives
21    )
22  )
23  
24  // negate highly trusted sender domains unless they fail DMARC authentication
25  and (
26    (
27      sender.email.domain.root_domain in $high_trust_sender_root_domains
28      and (
29        any(distinct(headers.hops, .authentication_results.dmarc is not null),
30            strings.ilike(.authentication_results.dmarc, "*fail")
31        )
32      )
33    )
34    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
35  )  
36
37tags:
38  - "Attack surface reduction"
39attack_types:
40  - "Malware/Ransomware"
41tactics_and_techniques:
42  - "Evasion"
43detection_methods:
44  - "Archive analysis"
45  - "File analysis"
46  - "Sender analysis"
47  - "URL analysis"
48id: "dc04cdd8-6023-578b-a0d5-c59f4b76cacd"

Related rules

to-top