Link: IPFS

calendar Oct 16, 2024  ·
Share on: linkedin copy

Detects messages containing links that have 'ipfs' in the domain, or unanalyzed links that contain 'ipfs' in the url. IPFS has been recently observed hosting phishing sites.

Sublime rule (View on GitHub)

 1name: "Link: IPFS"
 2description: "Detects messages containing links that have 'ipfs' in the domain, or unanalyzed links that contain 'ipfs' in the url. IPFS has been recently observed hosting phishing sites."
 3references:
 4  - "https://securelist.com/ipfs-phishing/109158/"
 5  - "https://docs.ipfs.tech/how-to/address-ipfs-on-web/"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and any(body.links,
11          // Any body link domains contain "ipfs"
12          (
13            strings.icontains(.href_url.domain.domain, "ipfs")
14            and not .href_url.domain.root_domain == "ipfs.com"
15          )
16  
17          // Or the path contains ipfs anchored to a leading and trailing '-', '/', '.'
18          or (
19            regex.icontains(.href_url.query_params, '[\.-/]ipfs[\.-/]')
20            and .href_url.domain.domain not in $org_domains
21            and (
22              (
23                // don't include high rep domains
24                .href_url.domain.domain not in $tranco_1m
25                and .href_url.domain.domain not in $umbrella_1m
26              )
27              // if it's in Tranco or Umbrella, still include it if it's one of these
28              or .href_url.domain.domain in $free_file_hosts
29              or .href_url.domain.root_domain in $free_file_hosts
30              or .href_url.domain.root_domain in $free_subdomain_hosts
31            )
32          )
33  )
34  
35  // adding negation block for legitimate domains with ipfs in their name
36  and not sender.email.domain.domain in ("shipfsl.com")
37
38  // negate ipfs.com issues
39  and not any(recipients.to, .email.domain.domain == "ipfs.com")
40  and not (
41      sender.email.domain.root_domain is not null 
42      and sender.email.domain.root_domain == "ipfs.com"
43    and headers.auth_summary.dmarc.pass
44  )
45  
46  and (
47    not profile.by_sender().solicited
48    or (
49      profile.by_sender().any_messages_malicious_or_spam
50      and not profile.by_sender().any_false_positives
51    )
52  )
53  and not profile.by_sender().any_false_positives  
54
55attack_types:
56  - "Credential Phishing"
57  - "Malware/Ransomware"
58tactics_and_techniques:
59  - "Free file host"
60  - "Free subdomain host"
61  - "IPFS"
62detection_methods:
63  - "Sender analysis"
64  - "URL analysis"
65id: "19fa6442-83b9-5479-ba04-61906b595929"
to-top