Link: Free file hosting with undisclosed recipients

calendar Mar 19, 2026  ·
Share on: linkedin copy

Detects messages containing links to free file hosting or subdomain services that are sent to undisclosed recipients or only CC/BCC recipients. The rule identifies suspicious distribution patterns where legitimate recipients are hidden, potentially indicating mass distribution of malicious content through file sharing platforms.

Sublime rule (View on GitHub)

 1name: "Link: Free file hosting with undisclosed recipients"
 2description: "Detects messages containing links to free file hosting or subdomain services that are sent to undisclosed recipients or only CC/BCC recipients. The rule identifies suspicious distribution patterns where legitimate recipients are hidden, potentially indicating mass distribution of malicious content through file sharing platforms."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // no previous threads
 8  and (
 9    length(body.previous_threads) == 0
10    // If there is a previous thread, it is unrelated to current thread
11    or any(body.previous_threads, .sender.email.email != mailbox.email.email)
12  )
13  
14  // few links that aren't "social" links
15  and 0 < length(filter(body.current_thread.links,
16                        .href_url.domain.root_domain not in (
17                          'x.com',
18                          'facebook.com',
19                          'twitter.com',
20                          'instagram.com',
21                          'youtube.com',
22                          'linkedin.com'
23                        )
24                 )
25  ) < 10
26  
27  // undisclosed recipients or all recipients cc'd
28  and (
29    any(recipients.to, strings.ilike(.display_name, "undisclosed?recipients"))
30    or (length(recipients.cc) > 0 and length(recipients.to) == 0)
31    or (length(recipients.bcc) > 0 and length(recipients.to) == 0)
32    or (
33      length(recipients.to) == 1
34      and length(recipients.cc) == 0
35      and length(recipients.bcc) == 0
36      and all(recipients.to, .email.email == sender.email.email)
37      and all(recipients.to, .email.email != mailbox.email.email)
38    )
39  )
40  
41  // links to free file hosts or free subdomain hosts
42  and any(body.current_thread.links,
43          (
44            .href_url.domain.root_domain in $free_file_hosts
45            or .href_url.domain.root_domain in $free_subdomain_hosts
46          )
47          and .visible
48          and not (
49            .href_url.domain.root_domain == "googleusercontent.com"
50            and strings.istarts_with(.href_url.path, "/mail-sig")
51          )
52          and not .href_url.domain.domain in $tenant_domains
53  )
54  
55  // negate listmailers & benign threads
56  and not (
57    any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
58    or any(ml.nlu_classifier(body.current_thread.text).intents,
59           .name == "benign" and .confidence == "high"
60    )
61  )
62  and not (
63    (
64      sender.email.domain.root_domain in ("twilio.com", "zendesk.com")
65      or headers.return_path.domain.root_domain in ("twilio.com", "zendesk.com")
66    )
67    and coalesce(headers.auth_summary.dmarc.pass, false)
68  )
69  
70  // unsolicited and passing auth, or failing/missing dmarc
71  and (
72    (
73      coalesce(headers.auth_summary.dmarc.pass, false)
74      and not profile.by_sender().solicited
75    )
76    or profile.by_sender_email().days_since.last_inbound > 365
77    or (not coalesce(headers.auth_summary.dmarc.pass, false))
78  )  
79
80attack_types:
81  - "Credential Phishing"
82  - "Malware/Ransomware"
83tactics_and_techniques:
84  - "Free file host"
85  - "Free subdomain host"
86  - "Evasion"
87detection_methods:
88  - "Header analysis"
89  - "URL analysis"
90  - "Sender analysis"
91  - "Natural Language Understanding"
92id: "b6281306-bf26-58e2-8445-0ef8d05d9820"
to-top