Link: File sharing impersonation with suspicious language and sending patterns

calendar Oct 31, 2025  ·
Share on: linkedin copy

Detects messages containing file sharing and cloud services topics combined with BEC or credential theft language, featuring links with document-related display text that lead to low-reputation domains outside the sender's domain and organization.

Sublime rule (View on GitHub)

 1name: "Link: File sharing impersonation with suspicious language and sending patterns"
 2description: "Detects messages containing file sharing and cloud services topics combined with BEC or credential theft language, featuring links with document-related display text that lead to low-reputation domains outside the sender's domain and organization."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(ml.nlu_classifier(body.current_thread.text).topics,
 8          .name == "File Sharing and Cloud Services" and .confidence != "low"
 9  )
10  and any(ml.nlu_classifier(body.current_thread.text).intents,
11          .name in ("bec", "cred_theft") and .confidence != "low"
12  )
13  and any(body.links,
14          regex.icontains(.display_text, "document", "download")
15          and .href_url.domain.root_domain != sender.email.domain.root_domain
16          and .href_url.domain.root_domain not in $tranco_1m
17          and .href_url.domain.root_domain not in $org_domains
18          and .href_url.domain.valid
19  
20          // Exclude legitimate document services
21          and not .href_url.domain.root_domain in $free_file_hosts
22  )
23  // suspicious sending/recipient pattern
24  and 1 of (
25    (
26      length(recipients.to) == 1
27      and recipients.to[0].email.email == sender.email.email
28    ),
29    any(headers.reply_to,
30        .email.domain.domain in $free_email_providers
31        and .email.domain.domain != sender.email.domain.domain
32    ),
33    (
34      length(recipients.to) == 1
35      and length(recipients.cc) == 1
36      and recipients.to[0].email.email == recipients.cc[0].email.email
37    ),
38    (
39      strings.icontains(headers.return_path.local_part, "+SRS=")
40      or strings.icontains(headers.auth_summary.spf.details.designator, "+SRS=")
41      or any(headers.hops,
42             strings.icontains(.authentication_results.spf_details.designator,
43                               '+SRS='
44             )
45      )
46    ),
47    // No recipients visible
48    (
49      length(recipients.to) == 0
50      or all(recipients.to,
51             .display_name in ("Undisclosed recipients", "undisclosed-recipients")
52      )
53    )
54    and length(recipients.cc) == 0
55  )
56  
57  // negate highly trusted sender domains unless they fail DMARC authentication
58  and (
59    (
60      sender.email.domain.root_domain in $high_trust_sender_root_domains
61      and not headers.auth_summary.dmarc.pass
62    )
63    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
64  )  
65
66attack_types:
67  - "BEC/Fraud"
68  - "Credential Phishing"
69tactics_and_techniques:
70  - "Social engineering"
71  - "Free subdomain host"
72  - "Impersonation: Brand"
73detection_methods:
74  - "Natural Language Understanding"
75  - "URL analysis"
76  - "Sender analysis"
77  - "Header analysis"
78  - "Content analysis"
79id: "d3363041-f38d-538c-8633-29d7d6f80ca7"
to-top