Link: File sharing pretext with suspicious body and link

Detects messages containing file sharing pretext with a single link to self-service creation platforms or URL shorteners, where the link display text matches the email subject and points to suspicious domains.

Sublime rule (View on GitHub)

 1name: "Link: File sharing pretext with suspicious body and link"
 2description: "Detects messages containing file sharing pretext with a single link to self-service creation platforms or URL shorteners, where the link display text matches the email subject and points to suspicious domains."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.links) < 20
 8  
 9  // file sharing pretext
10  and any(ml.nlu_classifier(body.current_thread.text).topics,
11          .name == "File Sharing and Cloud Services" and .confidence != "low"
12  )
13  
14  // the message does not contain previous threads
15  and length(body.previous_threads) == 0
16  
17  // no PDF attachments
18  and length(filter(attachments, .file_type == "pdf")) == 0
19  
20  // there is only a single link to the free file host
21  and length(filter(body.links,
22                    .href_url.domain.domain in $self_service_creation_platform_domains
23                    or .href_url.domain.root_domain in $self_service_creation_platform_domains
24                    or .href_url.domain.domain in $url_shorteners
25                    or .href_url.domain.root_domain in $url_shorteners
26                    or .href_url.domain.root_domain == "dynamics.com"
27             )
28  ) == 1
29  // there are few distinct domains in the message
30  and length(distinct(body.links, .href_url.domain.root_domain)) <= 3
31  
32  // body/link display text is related to the subject & links to suspicious domain
33  and any(body.links,
34          (
35            strings.icontains(.display_text, subject.base)
36            or strings.icontains(body.current_thread.text,
37                                 strings.concat('"', subject.base, '"')
38            )
39          )
40          and (
41            .href_url.domain.domain in $self_service_creation_platform_domains
42            or .href_url.domain.root_domain in $self_service_creation_platform_domains
43            or .href_url.domain.domain in $url_shorteners
44            or .href_url.domain.root_domain in $url_shorteners
45            or .href_url.domain.root_domain == "dynamics.com"
46          )
47  
48          // negate links which make use of google icons inside of a bounding box
49          // filter down to the link with the same display text
50          and not any(filter(html.xpath(body.html,
51                                        '//a[img[@src] or .//img[@src]][.//div[contains(@style, "border:1px solid")] or ancestor::div[contains(@style, "border:1px solid")]]'
52                             ).nodes,
53                             // the display text is the link we're inspecting
54                             ..display_text == .display_text
55                      ),
56                      // inside this is a reference to the google icon 
57                      strings.icontains(.raw, 'gstatic.com/docs/doclist/images/')
58          )
59  )
60    
61
62attack_types:
63  - "Credential Phishing"
64tactics_and_techniques:
65  - "Social engineering"
66  - "Evasion"
67detection_methods:
68  - "Natural Language Understanding"
69  - "Content analysis"
70  - "URL analysis"
71  - "HTML analysis"
72id: "c5718a8e-51b2-52c8-a150-cd7394d4e89c"
to-top