Link to auto-downloaded DMG in archive

 1name: "Link to auto-downloaded DMG in archive"
 2description: "A link in the body of the message downloads an archive containing a DMG file. The message is not from a common or trusted sender and is unsolicited."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          any(ml.link_analysis(.).files_downloaded,
 9              .file_extension in~ $file_extensions_common_archives
10              and any(file.explode(.), .file_extension == "dmg")
11          )
12  )
13  and (
14    (
15      profile.by_sender().prevalence != "common"
16      and not profile.by_sender().solicited
17    )
18    or (
19      profile.by_sender().any_messages_malicious_or_spam
20      and not profile.by_sender().any_false_positives
21    )
22  )
23  
24  // negate highly trusted sender domains unless they fail DMARC authentication
25  and (
26    (
27      sender.email.domain.root_domain in $high_trust_sender_root_domains
28      and not headers.auth_summary.dmarc.pass
29    )
30    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
31  )  
32
33tags:
34  - "Attack surface reduction"
35attack_types:
36  - "Malware/Ransomware"
37tactics_and_techniques:
38  - "Evasion"
39detection_methods:
40  - "Archive analysis"
41  - "File analysis"
42  - "Sender analysis"
43  - "URL analysis"
44id: "dc04cdd8-6023-578b-a0d5-c59f4b76cacd"