Link: Direct Link to gamma.app Presentation in Present Mode
Detects URLs linking to Gamma App presentation mode, which has been used to host malicious content due to its trusted domain status and presentation capabilities
Sublime rule (View on GitHub)
1name: "Link: Direct Link to gamma.app Presentation in Present Mode"
2description: "Detects URLs linking to Gamma App presentation mode, which has been used to host malicious content due to its trusted domain status and presentation capabilities"
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(body.links) < 10
8 and any(body.links,
9 (
10 .href_url.domain.root_domain == "gamma.app"
11 or strings.icontains(.href_url.query_params, 'gamma.app')
12 or strings.icontains(.href_url.query_params, 'gamma%2eapp')
13 or strings.icontains(.href_url.query_params, 'gamma%252eapp')
14 )
15 and strings.icontains(.href_url.query_params, 'mode=present')
16 )
17tags:
18 - "Attack surface reduction"
19attack_types:
20 - "Credential Phishing"
21 - "Malware/Ransomware"
22tactics_and_techniques:
23 - "Free file host"
24 - "Evasion"
25detection_methods:
26 - "URL analysis"
27id: "080ab581-e6ab-5c82-927b-e57f3080f27a"
Related rules
- Service Abuse: Adobe Sign Notification From an Unsolicited Reply-To Address
- Service Abuse: HelloSign From an Unsolicited Sender Address
- Attachment: Web Files With Suspicious Comments
- Service Abuse: SurveyMonkey Survey From Newly Registered Domain
- Attachment: OLE external relationship containing file scheme link to executable filetype