Link: IPFS

 1name: "Link: IPFS"
 2description: "Detects messages containing links that have 'ipfs' in the domain, or unanalyzed links that contain 'ipfs' in the url. IPFS has been recently observed hosting phishing sites."
 3references:
 4  - "https://securelist.com/ipfs-phishing/109158/"
 5  - "https://docs.ipfs.tech/how-to/address-ipfs-on-web/"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and any(body.links,
11          // Any body link domains contain "ipfs"
12          strings.icontains(.href_url.domain.domain, "ipfs")
13
14          // Or the path contains ipfs anchored to a leading and trailing '-', '/', '.'
15          or (
16            regex.icontains(.href_url.query_params, '[\.-/]ipfs[\.-/]')
17            and .href_url.domain.domain not in $org_domains
18            and (
19              (
20                // don't include high rep domains
21                .href_url.domain.domain not in $tranco_1m
22                and .href_url.domain.domain not in $umbrella_1m
23              )
24              // if it's in Tranco or Umbrella, still include it if it's one of these
25              or .href_url.domain.domain in $free_file_hosts
26              or .href_url.domain.root_domain in $free_subdomain_hosts
27            )
28          )
29  )
30
31  // adding negation block for legitimate domains with ipfs in their name
32  and not sender.email.domain.domain in ("shipfsl.com")
33
34  // unsolicited
35  and (
36    (
37      sender.email.domain.root_domain in $free_email_providers
38      and sender.email.email not in $recipient_emails
39    )
40    or (
41      sender.email.domain.root_domain not in $free_email_providers
42      and sender.email.domain.domain not in $recipient_domains
43    )
44  )  
45attack_types:
46  - "Credential Phishing"
47  - "Malware/Ransomware"
48tactics_and_techniques:
49  - "Free file host"
50  - "Free subdomain host"
51  - "IPFS"
52detection_methods:
53  - "Sender analysis"
54  - "URL analysis"
55id: "19fa6442-83b9-5479-ba04-61906b595929"