Link: Free file hosting with undisclosed recipients

Detects messages containing links to free file hosting or subdomain services that are sent to undisclosed recipients or only CC/BCC recipients. The rule identifies suspicious distribution patterns where legitimate recipients are hidden, potentially indicating mass distribution of malicious content through file sharing platforms.

Sublime rule (View on GitHub)

 1name: "Link: Free file hosting with undisclosed recipients"
 2description: "Detects messages containing links to free file hosting or subdomain services that are sent to undisclosed recipients or only CC/BCC recipients. The rule identifies suspicious distribution patterns where legitimate recipients are hidden, potentially indicating mass distribution of malicious content through file sharing platforms."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // no previous threads
 8  and length(body.previous_threads) == 0
 9  
10  // few links
11  and 0 < length(body.current_thread.links) < 10
12  
13  // undisclosed recipientsor all recipients cc'd
14  and (
15    any(recipients.to, strings.ilike(.display_name, "undisclosed?recipients"))
16    or (length(recipients.cc) > 0 and length(recipients.to) == 0)
17    or (length(recipients.bcc) > 0 and length(recipients.to) == 0)
18  )
19  
20  // links to free file hosts or free subdomain hosts
21  and any(body.current_thread.links,
22          (
23            .href_url.domain.root_domain in $free_file_hosts
24            or .href_url.domain.root_domain in $free_subdomain_hosts
25          )
26          and .href_url.domain.subdomain is not null
27          and .visible
28          and not (
29            .href_url.domain.root_domain == "googleusercontent.com"
30            and strings.istarts_with(.href_url.path, "/mail-sig")
31          )
32  )
33  
34  // negate listmailers & benign threads
35  and not (
36    any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
37    or any(ml.nlu_classifier(body.current_thread.text).intents,
38           .name == "benign" and .confidence == "high"
39    )
40  )
41  
42  // unsolicited and passing auth, or failing/missing dmarc
43  and (
44    (
45      coalesce(headers.auth_summary.dmarc.pass, false)
46      and not profile.by_sender().solicited
47    )
48    or (not coalesce(headers.auth_summary.dmarc.pass, false))
49  )
50    
51
52attack_types:
53  - "Credential Phishing"
54  - "Malware/Ransomware"
55tactics_and_techniques:
56  - "Free file host"
57  - "Free subdomain host"
58  - "Evasion"
59detection_methods:
60  - "Header analysis"
61  - "URL analysis"
62  - "Sender analysis"
63  - "Natural Language Understanding"
64id: "b6281306-bf26-58e2-8445-0ef8d05d9820"
to-top