Link: Free file hosting with undisclosed recipients

calendar Feb 20, 2026  ·
Share on: linkedin copy

Detects messages containing links to free file hosting or subdomain services that are sent to undisclosed recipients or only CC/BCC recipients. The rule identifies suspicious distribution patterns where legitimate recipients are hidden, potentially indicating mass distribution of malicious content through file sharing platforms.

Sublime rule (View on GitHub)

 1name: "Link: Free file hosting with undisclosed recipients"
 2description: "Detects messages containing links to free file hosting or subdomain services that are sent to undisclosed recipients or only CC/BCC recipients. The rule identifies suspicious distribution patterns where legitimate recipients are hidden, potentially indicating mass distribution of malicious content through file sharing platforms."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // no previous threads
 8  and length(body.previous_threads) == 0
 9  
10  // few links that aren't "social" links
11  and 0 < length(filter(body.current_thread.links,
12                        .href_url.domain.root_domain not in (
13                          'x.com',
14                          'facebook.com',
15                          'twitter.com',
16                          'instagram.com',
17                          'youtube.com',
18                          'linkedin.com'
19                        )
20                 )
21  ) < 10
22  
23  // undisclosed recipients or all recipients cc'd
24  and (
25    any(recipients.to, strings.ilike(.display_name, "undisclosed?recipients"))
26    or (length(recipients.cc) > 0 and length(recipients.to) == 0)
27    or (length(recipients.bcc) > 0 and length(recipients.to) == 0)
28    or (
29      length(recipients.to) == 1
30      and length(recipients.cc) == 0
31      and length(recipients.bcc) == 0
32      and all(recipients.to, .email.email == sender.email.email)
33      and all(recipients.to, .email.email != mailbox.email.email)
34    )
35  )
36  
37  // links to free file hosts or free subdomain hosts
38  and any(body.current_thread.links,
39          (
40            .href_url.domain.root_domain in $free_file_hosts
41            or .href_url.domain.root_domain in $free_subdomain_hosts
42          )
43          and .href_url.domain.subdomain is not null
44          and .visible
45          and not (
46            .href_url.domain.root_domain == "googleusercontent.com"
47            and strings.istarts_with(.href_url.path, "/mail-sig")
48          )
49          and not .href_url.domain.domain in $tenant_domains
50  )
51  
52  // negate listmailers & benign threads
53  and not (
54    any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
55    or any(ml.nlu_classifier(body.current_thread.text).intents,
56           .name == "benign" and .confidence == "high"
57    )
58  )
59  
60  // unsolicited and passing auth, or failing/missing dmarc
61  and (
62    (
63      coalesce(headers.auth_summary.dmarc.pass, false)
64      and not profile.by_sender().solicited
65    )
66    or (not coalesce(headers.auth_summary.dmarc.pass, false))
67  )  
68
69
70attack_types:
71  - "Credential Phishing"
72  - "Malware/Ransomware"
73tactics_and_techniques:
74  - "Free file host"
75  - "Free subdomain host"
76  - "Evasion"
77detection_methods:
78  - "Header analysis"
79  - "URL analysis"
80  - "Sender analysis"
81  - "Natural Language Understanding"
82id: "b6281306-bf26-58e2-8445-0ef8d05d9820"
to-top