Link: Direct Link to gamma.app Presentation in Present Mode

Detects URLs linking to Gamma App presentation mode, which has been used to host malicious content due to its trusted domain status and presentation capabilities

Sublime rule (View on GitHub)

 1name: "Link: Direct Link to gamma.app Presentation in Present Mode"
 2description: "Detects URLs linking to Gamma App presentation mode, which has been used to host malicious content due to its trusted domain status and presentation capabilities"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.links) < 10
 8  and any(body.links,
 9          (
10            .href_url.domain.root_domain == "gamma.app"
11            or strings.icontains(.href_url.query_params, 'gamma.app')
12            or strings.icontains(.href_url.query_params, 'gamma%2eapp')
13            or strings.icontains(.href_url.query_params, 'gamma%252eapp')
14          )
15          and strings.icontains(.href_url.query_params, 'mode=present')
16  )  
17tags:
18 - "Attack surface reduction"
19attack_types:
20  - "Credential Phishing"
21  - "Malware/Ransomware"
22tactics_and_techniques:
23  - "Free file host"
24  - "Evasion"
25detection_methods:
26  - "URL analysis"
27id: "080ab581-e6ab-5c82-927b-e57f3080f27a"

Related rules

to-top