Link: Direct link to gamma.app document with mode parameter

Detects URLs linking to Gamma App presentation or document mode, which has been used to host malicious content due to its trusted domain status and presentation capabilities.

Sublime rule (View on GitHub)

 1name: "Link: Direct link to gamma.app document with mode parameter"
 2description: "Detects URLs linking to Gamma App presentation or document mode, which has been used to host malicious content due to its trusted domain status and presentation capabilities."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.links) < 10
 8  and any(body.links,
 9          (
10            .href_url.domain.root_domain == "gamma.app"
11            or strings.icontains(.href_url.query_params, 'gamma.app')
12            or strings.icontains(.href_url.query_params, 'gamma%2eapp')
13            or strings.icontains(.href_url.query_params, 'gamma%252eapp')
14          )
15          and regex.icontains(.href_url.query_params, 'mode=(present|doc)')
16  )  
17tags:
18 - "Attack surface reduction"
19attack_types:
20  - "Credential Phishing"
21  - "Malware/Ransomware"
22tactics_and_techniques:
23  - "Free file host"
24  - "Evasion"
25detection_methods:
26  - "URL analysis"
27id: "080ab581-e6ab-5c82-927b-e57f3080f27a"

Related rules

to-top