Link: IPFS

calendar Feb 26, 2024  ·
Share on: linkedin copy

Detects messages containing links that have 'ipfs' in the domain, or unanalyzed links that contain 'ipfs' in the url. IPFS has been recently observed hosting phishing sites.

Sublime rule (View on GitHub)

 1name: "Link: IPFS"
 2description: "Detects messages containing links that have 'ipfs' in the domain, or unanalyzed links that contain 'ipfs' in the url. IPFS has been recently observed hosting phishing sites."
 3references:
 4  - "https://securelist.com/ipfs-phishing/109158/"
 5  - "https://docs.ipfs.tech/how-to/address-ipfs-on-web/"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and any(body.links,
11          // Any body link domains contain "ipfs"
12          strings.icontains(.href_url.domain.domain, "ipfs")
13  
14          // Or the path contains ipfs anchored to a leading and trailing '-', '/', '.'
15          or (
16            regex.icontains(.href_url.query_params, '[\.-/]ipfs[\.-/]')
17            and .href_url.domain.domain not in $org_domains
18            and (
19              (
20                // don't include high rep domains
21                .href_url.domain.domain not in $tranco_1m
22                and .href_url.domain.domain not in $umbrella_1m
23              )
24              // if it's in Tranco or Umbrella, still include it if it's one of these
25              or .href_url.domain.domain in $free_file_hosts
26              or .href_url.domain.root_domain in $free_file_hosts
27              or .href_url.domain.root_domain in $free_subdomain_hosts
28            )
29          )
30  )
31  
32  // adding negation block for legitimate domains with ipfs in their name
33  and not sender.email.domain.domain in ("shipfsl.com")
34
35  // negate any link extractions from additional recipients at ipfs.com
36  and not any(recipients.to, .email.domain.domain == "ipfs.com")
37  
38  and (
39    not profile.by_sender().solicited
40    or (
41      profile.by_sender().any_messages_malicious_or_spam
42      and not profile.by_sender().any_false_positives
43    )
44  )
45
46  and not profile.by_sender().any_false_positives  
47
48attack_types:
49  - "Credential Phishing"
50  - "Malware/Ransomware"
51tactics_and_techniques:
52  - "Free file host"
53  - "Free subdomain host"
54  - "IPFS"
55detection_methods:
56  - "Sender analysis"
57  - "URL analysis"
58id: "19fa6442-83b9-5479-ba04-61906b595929"
to-top