Link: IPFS
Detects messages containing links that have 'ipfs' in the domain, or unanalyzed links that contain 'ipfs' in the url. IPFS has been recently observed hosting phishing sites.
Sublime rule (View on GitHub)
1name: "Link: IPFS"
2description: "Detects messages containing links that have 'ipfs' in the domain, or unanalyzed links that contain 'ipfs' in the url. IPFS has been recently observed hosting phishing sites."
3references:
4 - "https://securelist.com/ipfs-phishing/109158/"
5 - "https://docs.ipfs.tech/how-to/address-ipfs-on-web/"
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and any(body.links,
11 // Any body link domains contain "ipfs"
12 strings.icontains(.href_url.domain.domain, "ipfs")
13
14 // Or the path contains ipfs anchored to a leading and trailing '-', '/', '.'
15 or (
16 regex.icontains(.href_url.query_params, '[\.-/]ipfs[\.-/]')
17 and .href_url.domain.domain not in $org_domains
18 and (
19 (
20 // don't include high rep domains
21 .href_url.domain.domain not in $tranco_1m
22 and .href_url.domain.domain not in $umbrella_1m
23 )
24 // if it's in Tranco or Umbrella, still include it if it's one of these
25 or .href_url.domain.domain in $free_file_hosts
26 or .href_url.domain.root_domain in $free_subdomain_hosts
27 )
28 )
29 )
30
31 // adding negation block for legitimate domains with ipfs in their name
32 and not sender.email.domain.domain in ("shipfsl.com")
33
34 // unsolicited
35 and (
36 (
37 sender.email.domain.root_domain in $free_email_providers
38 and sender.email.email not in $recipient_emails
39 )
40 or (
41 sender.email.domain.root_domain not in $free_email_providers
42 and sender.email.domain.domain not in $recipient_domains
43 )
44 )
45attack_types:
46 - "Credential Phishing"
47 - "Malware/Ransomware"
48tactics_and_techniques:
49 - "Free file host"
50 - "Free subdomain host"
51 - "IPFS"
52detection_methods:
53 - "Sender analysis"
54 - "URL analysis"
55id: "19fa6442-83b9-5479-ba04-61906b595929"