Link: Free file hosting with undisclosed recipients
Detects messages containing links to free file hosting or subdomain services that are sent to undisclosed recipients or only CC/BCC recipients. The rule identifies suspicious distribution patterns where legitimate recipients are hidden, potentially indicating mass distribution of malicious content through file sharing platforms.
Sublime rule (View on GitHub)
1name: "Link: Free file hosting with undisclosed recipients"
2description: "Detects messages containing links to free file hosting or subdomain services that are sent to undisclosed recipients or only CC/BCC recipients. The rule identifies suspicious distribution patterns where legitimate recipients are hidden, potentially indicating mass distribution of malicious content through file sharing platforms."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // no previous threads
8 and length(body.previous_threads) == 0
9
10 // few links
11 and 0 < length(body.current_thread.links) < 10
12
13 // undisclosed recipientsor all recipients cc'd
14 and (
15 any(recipients.to, strings.ilike(.display_name, "undisclosed?recipients"))
16 or (length(recipients.cc) > 0 and length(recipients.to) == 0)
17 or (length(recipients.bcc) > 0 and length(recipients.to) == 0)
18 )
19
20 // links to free file hosts or free subdomain hosts
21 and any(body.current_thread.links,
22 (
23 .href_url.domain.root_domain in $free_file_hosts
24 or .href_url.domain.root_domain in $free_subdomain_hosts
25 )
26 and .href_url.domain.subdomain is not null
27 and .visible
28 and not (
29 .href_url.domain.root_domain == "googleusercontent.com"
30 and strings.istarts_with(.href_url.path, "/mail-sig")
31 )
32 )
33
34 // negate listmailers & benign threads
35 and not (
36 any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
37 or any(ml.nlu_classifier(body.current_thread.text).intents,
38 .name == "benign" and .confidence == "high"
39 )
40 )
41
42 // unsolicited and passing auth, or failing/missing dmarc
43 and (
44 (
45 coalesce(headers.auth_summary.dmarc.pass, false)
46 and not profile.by_sender().solicited
47 )
48 or (not coalesce(headers.auth_summary.dmarc.pass, false))
49 )
50
51
52attack_types:
53 - "Credential Phishing"
54 - "Malware/Ransomware"
55tactics_and_techniques:
56 - "Free file host"
57 - "Free subdomain host"
58 - "Evasion"
59detection_methods:
60 - "Header analysis"
61 - "URL analysis"
62 - "Sender analysis"
63 - "Natural Language Understanding"
64id: "b6281306-bf26-58e2-8445-0ef8d05d9820"