Link: File sharing pretext with suspicious body and link
Detects messages containing file sharing pretext with a single link to self-service creation platforms or URL shorteners, where the link display text matches the email subject and points to suspicious domains.
Sublime rule (View on GitHub)
1name: "Link: File sharing pretext with suspicious body and link"
2description: "Detects messages containing file sharing pretext with a single link to self-service creation platforms or URL shorteners, where the link display text matches the email subject and points to suspicious domains."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(body.links) < 20
8
9 // file sharing pretext
10 and any(ml.nlu_classifier(body.current_thread.text).topics,
11 .name == "File Sharing and Cloud Services" and .confidence != "low"
12 )
13
14 // the message does not contain previous threads
15 and length(body.previous_threads) == 0
16
17 // no PDF attachments
18 and length(filter(attachments, .file_type == "pdf")) == 0
19
20 // there is only a single link to the free file host
21 and length(filter(body.links,
22 .href_url.domain.domain in $self_service_creation_platform_domains
23 or .href_url.domain.root_domain in $self_service_creation_platform_domains
24 or .href_url.domain.domain in $url_shorteners
25 or .href_url.domain.root_domain in $url_shorteners
26 or .href_url.domain.root_domain == "dynamics.com"
27 )
28 ) == 1
29 // there are few distinct domains in the message
30 and length(distinct(body.links, .href_url.domain.root_domain)) <= 3
31
32 // body/link display text is related to the subject & links to suspicious domain
33 and any(body.links,
34 (
35 strings.icontains(.display_text, subject.base)
36 or strings.icontains(body.current_thread.text,
37 strings.concat('"', subject.base, '"')
38 )
39 )
40 and (
41 .href_url.domain.domain in $self_service_creation_platform_domains
42 or .href_url.domain.root_domain in $self_service_creation_platform_domains
43 or .href_url.domain.domain in $url_shorteners
44 or .href_url.domain.root_domain in $url_shorteners
45 or .href_url.domain.root_domain == "dynamics.com"
46 )
47
48 // negate links which make use of google icons inside of a bounding box
49 // filter down to the link with the same display text
50 and not any(filter(html.xpath(body.html,
51 '//a[img[@src] or .//img[@src]][.//div[contains(@style, "border:1px solid")] or ancestor::div[contains(@style, "border:1px solid")]]'
52 ).nodes,
53 // the display text is the link we're inspecting
54 ..display_text == .display_text
55 ),
56 // inside this is a reference to the google icon
57 strings.icontains(.raw, 'gstatic.com/docs/doclist/images/')
58 )
59 )
60
61
62attack_types:
63 - "Credential Phishing"
64tactics_and_techniques:
65 - "Social engineering"
66 - "Evasion"
67detection_methods:
68 - "Natural Language Understanding"
69 - "Content analysis"
70 - "URL analysis"
71 - "HTML analysis"
72id: "c5718a8e-51b2-52c8-a150-cd7394d4e89c"