Link: Free file hosting with undisclosed recipients

Detects messages containing links to free file hosting or subdomain services that are sent to undisclosed recipients or only CC/BCC recipients. The rule identifies suspicious distribution patterns where legitimate recipients are hidden, potentially indicating mass distribution of malicious content through file sharing platforms.

Sublime rule (View on GitHub)

 1name: "Link: Free file hosting with undisclosed recipients"
 2description: "Detects messages containing links to free file hosting or subdomain services that are sent to undisclosed recipients or only CC/BCC recipients. The rule identifies suspicious distribution patterns where legitimate recipients are hidden, potentially indicating mass distribution of malicious content through file sharing platforms."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // no previous threads
 8  and length(body.previous_threads) == 0
 9  
10  // few links
11  and 0 < length(body.current_thread.links) < 10
12  
13  // undisclosed recipients or all recipients cc'd
14  and (
15    any(recipients.to, strings.ilike(.display_name, "undisclosed?recipients"))
16    or (length(recipients.cc) > 0 and length(recipients.to) == 0)
17    or (length(recipients.bcc) > 0 and length(recipients.to) == 0)
18    or (
19      length(recipients.to) == 1
20      and length(recipients.cc) == 0
21      and length(recipients.bcc) == 0
22      and all(recipients.to, .email.email == sender.email.email)
23      and all(recipients.to, .email.email != mailbox.email.email)
24    )
25  )
26  
27  // links to free file hosts or free subdomain hosts
28  and any(body.current_thread.links,
29          (
30            .href_url.domain.root_domain in $free_file_hosts
31            or .href_url.domain.root_domain in $free_subdomain_hosts
32          )
33          and .href_url.domain.subdomain is not null
34          and .visible
35          and not (
36            .href_url.domain.root_domain == "googleusercontent.com"
37            and strings.istarts_with(.href_url.path, "/mail-sig")
38          )
39  )
40  
41  // negate listmailers & benign threads
42  and not (
43    any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
44    or any(ml.nlu_classifier(body.current_thread.text).intents,
45           .name == "benign" and .confidence == "high"
46    )
47  )
48  
49  // unsolicited and passing auth, or failing/missing dmarc
50  and (
51    (
52      coalesce(headers.auth_summary.dmarc.pass, false)
53      and not profile.by_sender().solicited
54    )
55    or (not coalesce(headers.auth_summary.dmarc.pass, false))
56  )
57    
58
59attack_types:
60  - "Credential Phishing"
61  - "Malware/Ransomware"
62tactics_and_techniques:
63  - "Free file host"
64  - "Free subdomain host"
65  - "Evasion"
66detection_methods:
67  - "Header analysis"
68  - "URL analysis"
69  - "Sender analysis"
70  - "Natural Language Understanding"
71id: "b6281306-bf26-58e2-8445-0ef8d05d9820"
to-top