Link: PDF and financial display text to free file host
Detects messages containing a single link with PDF-named display text containing financial phrases that redirects to a free file hosting service, sent without previous message threads.
Sublime rule (View on GitHub)
1name: "Link: PDF and financial display text to free file host"
2description: "Detects messages containing a single link with PDF-named display text containing financial phrases that redirects to a free file hosting service, sent without previous message threads."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(body.links) < 20
8
9 // the message does not contain previous threads
10 and length(body.previous_threads) == 0
11
12 // no PDF attachemnts
13 and length(filter(attachments, .file_type == "pdf")) == 0
14 // there is only a single link to the free file host
15 and length(filter(body.links,
16 .href_url.domain.domain in $free_file_hosts
17 or .href_url.domain.root_domain in $free_file_hosts
18 or .href_url.domain.domain in $self_service_creation_platform_domains
19 or .href_url.domain.root_domain in $self_service_creation_platform_domains
20 or .href_url.domain.domain in $url_shorteners
21 or .href_url.domain.root_domain in $url_shorteners
22 or .href_url.domain.root_domain == "dynamics.com"
23 )
24 ) == 1
25 // there are few distinct domains in the message
26 and length(distinct(body.links, .href_url.domain.root_domain)) <= 3
27
28 // the display_text ends in .pdf and goes to a free file host
29 and any(body.links,
30 strings.iends_with(.display_text, '.pdf')
31 and (
32 .href_url.domain.domain in $free_file_hosts
33 or .href_url.domain.root_domain in $free_file_hosts
34 or .href_url.domain.domain in $self_service_creation_platform_domains
35 or .href_url.domain.root_domain in $self_service_creation_platform_domains
36 or .href_url.domain.domain in $url_shorteners
37 or .href_url.domain.root_domain in $url_shorteners
38 or .href_url.domain.root_domain == "dynamics.com"
39 )
40 // the display text is financial related (remittance, invoice, etc)
41 and (
42 strings.icontains(.display_text, 'payment')
43 or regex.icontains(.display_text, 'pay\b')
44 or strings.icontains(.display_text, 'remit')
45 or strings.icontains(.display_text, 'receipt')
46 or strings.icontains(.display_text, 'Distribution')
47 or strings.icontains(.display_text, 'payoff')
48 or strings.icontains(.display_text, 'Wire Instructions')
49 or regex.icontains(.display_text, 'ACH\b')
50 or regex.icontains(.display_text, 'EFT\b')
51 or strings.istarts_with(.display_text, 'INV')
52 or strings.istarts_with(.display_text, 'View RFQ')
53 or strings.istarts_with(.display_text, 'Contract')
54
55 // the display text is the subject
56 or (.display_text =~ subject.base and length(.display_text) > 0)
57 )
58
59 // negate links which make use of google icons inside of a bounding box
60 // filter down to the link with the same display text
61 and not any(filter(html.xpath(body.html,
62 '//a[img[@src] or .//img[@src]][.//div[contains(@style, "border:1px solid")] or ancestor::div[contains(@style, "border:1px solid")]]'
63 ).nodes,
64 // the display text is the link we're inspecting
65 ..display_text == .display_text
66 ),
67 // inside this is a reference to the google icon
68 strings.icontains(.raw, 'gstatic.com/docs/doclist/images/')
69 )
70 )
71
72attack_types:
73 - "Credential Phishing"
74tactics_and_techniques:
75 - "Free file host"
76 - "Free email provider"
77 - "Social engineering"
78detection_methods:
79 - "Content analysis"
80 - "Sender analysis"
81 - "URL analysis"
82id: "b010740b-a462-5dcd-acf9-877783a84534"