Link: PDF and financial display text to free file host

Detects messages containing a single link with PDF-named display text containing financial phrases that redirects to a free file hosting service, sent without previous message threads.

Sublime rule (View on GitHub)

 1name: "Link: PDF and financial display text to free file host"
 2description: "Detects messages containing a single link with PDF-named display text containing financial phrases that redirects to a free file hosting service, sent without previous message threads."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.links) < 20
 8  
 9  // the message does not contain previous threads
10  and length(body.previous_threads) == 0
11  
12  // no PDF attachemnts
13  and length(filter(attachments, .file_type == "pdf")) == 0
14  // there is only a single link to the free file host
15  and length(filter(body.links,
16                    .href_url.domain.domain in $free_file_hosts
17                    or .href_url.domain.root_domain in $free_file_hosts
18                    or .href_url.domain.domain in $self_service_creation_platform_domains
19                    or .href_url.domain.root_domain in $self_service_creation_platform_domains
20                    or .href_url.domain.domain in $url_shorteners
21                    or .href_url.domain.root_domain in $url_shorteners
22                    or .href_url.domain.root_domain == "dynamics.com"
23             )
24  ) == 1
25  // there are few distinct domains in the message
26  and length(distinct(body.links, .href_url.domain.root_domain)) <= 3
27  
28  // the display_text ends in .pdf and goes to a free file host
29  and any(body.links,
30          strings.iends_with(.display_text, '.pdf')
31          and (
32            .href_url.domain.domain in $free_file_hosts
33            or .href_url.domain.root_domain in $free_file_hosts
34            or .href_url.domain.domain in $self_service_creation_platform_domains
35            or .href_url.domain.root_domain in $self_service_creation_platform_domains
36            or .href_url.domain.domain in $url_shorteners
37            or .href_url.domain.root_domain in $url_shorteners
38            or .href_url.domain.root_domain == "dynamics.com"
39          )
40          // the display text is financial related (remittance, invoice, etc)
41          and (
42            strings.icontains(.display_text, 'payment')
43            or regex.icontains(.display_text, 'pay\b')
44            or strings.icontains(.display_text, 'remit')
45            or strings.icontains(.display_text, 'receipt')
46            or strings.icontains(.display_text, 'Distribution')
47            or strings.icontains(.display_text, 'payoff')
48            or strings.icontains(.display_text, 'Wire Instructions')
49            or regex.icontains(.display_text, 'ACH\b')
50            or regex.icontains(.display_text, 'EFT\b')
51            or strings.istarts_with(.display_text, 'INV')
52            or strings.istarts_with(.display_text, 'View RFQ')
53            or strings.istarts_with(.display_text, 'Contract')
54  
55            // the display text is the subject
56            or (.display_text =~ subject.base and length(.display_text) > 0)
57          )
58  
59          // negate links which make use of google icons inside of a bounding box
60          // filter down to the link with the same display text
61          and not any(filter(html.xpath(body.html,
62                                        '//a[img[@src] or .//img[@src]][.//div[contains(@style, "border:1px solid")] or ancestor::div[contains(@style, "border:1px solid")]]'
63                             ).nodes,
64                             // the display text is the link we're inspecting
65                             ..display_text == .display_text
66                      ),
67                      // inside this is a reference to the google icon 
68                      strings.icontains(.raw, 'gstatic.com/docs/doclist/images/')
69          )
70  )  
71
72attack_types:
73  - "Credential Phishing"
74tactics_and_techniques:
75  - "Free file host"
76  - "Free email provider"
77  - "Social engineering"
78detection_methods:
79  - "Content analysis"
80  - "Sender analysis"
81  - "URL analysis"
82id: "b010740b-a462-5dcd-acf9-877783a84534"
to-top