Link: Free file hosting with undisclosed recipients
Detects messages containing links to free file hosting or subdomain services that are sent to undisclosed recipients or only CC/BCC recipients. The rule identifies suspicious distribution patterns where legitimate recipients are hidden, potentially indicating mass distribution of malicious content through file sharing platforms.
Sublime rule (View on GitHub)
1name: "Link: Free file hosting with undisclosed recipients"
2description: "Detects messages containing links to free file hosting or subdomain services that are sent to undisclosed recipients or only CC/BCC recipients. The rule identifies suspicious distribution patterns where legitimate recipients are hidden, potentially indicating mass distribution of malicious content through file sharing platforms."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // no previous threads
8 and length(body.previous_threads) == 0
9
10 // few links
11 and 0 < length(body.current_thread.links) < 10
12
13 // undisclosed recipients or all recipients cc'd
14 and (
15 any(recipients.to, strings.ilike(.display_name, "undisclosed?recipients"))
16 or (length(recipients.cc) > 0 and length(recipients.to) == 0)
17 or (length(recipients.bcc) > 0 and length(recipients.to) == 0)
18 or (
19 length(recipients.to) == 1
20 and length(recipients.cc) == 0
21 and length(recipients.bcc) == 0
22 and all(recipients.to, .email.email == sender.email.email)
23 and all(recipients.to, .email.email != mailbox.email.email)
24 )
25 )
26
27 // links to free file hosts or free subdomain hosts
28 and any(body.current_thread.links,
29 (
30 .href_url.domain.root_domain in $free_file_hosts
31 or .href_url.domain.root_domain in $free_subdomain_hosts
32 )
33 and .href_url.domain.subdomain is not null
34 and .visible
35 and not (
36 .href_url.domain.root_domain == "googleusercontent.com"
37 and strings.istarts_with(.href_url.path, "/mail-sig")
38 )
39 )
40
41 // negate listmailers & benign threads
42 and not (
43 any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
44 or any(ml.nlu_classifier(body.current_thread.text).intents,
45 .name == "benign" and .confidence == "high"
46 )
47 )
48
49 // unsolicited and passing auth, or failing/missing dmarc
50 and (
51 (
52 coalesce(headers.auth_summary.dmarc.pass, false)
53 and not profile.by_sender().solicited
54 )
55 or (not coalesce(headers.auth_summary.dmarc.pass, false))
56 )
57
58
59attack_types:
60 - "Credential Phishing"
61 - "Malware/Ransomware"
62tactics_and_techniques:
63 - "Free file host"
64 - "Free subdomain host"
65 - "Evasion"
66detection_methods:
67 - "Header analysis"
68 - "URL analysis"
69 - "Sender analysis"
70 - "Natural Language Understanding"
71id: "b6281306-bf26-58e2-8445-0ef8d05d9820"