Link: Direct link to limewire hosted file

 1name: "Link: Direct link to limewire hosted file"
 2description: "Message contains exactly one link to limewire.com domain with fewer than 10 total links in the body."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // there are few links
 8  and length(body.links) < 10
 9  // contains a link to limewire
10  and any(body.links, .href_url.domain.domain == "limewire.com")
11  // is the only link to limewire
12  and length(filter(body.links,
13                    .href_url.domain.root_domain == "limewire.com"
14                    and strings.istarts_with(.href_url.path, "/d/")
15             )
16  ) == 1
17  and not length(body.previous_threads) > 0
18  // negate highly trusted sender domains unless they fail DMARC authentication
19  and (
20    (
21      sender.email.domain.root_domain in $high_trust_sender_root_domains
22      and not headers.auth_summary.dmarc.pass
23    )
24    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
25  )
26  and not profile.by_sender_email().any_messages_benign  
27tags:
28 - "Attack surface reduction"
29attack_types:
30  - "Malware/Ransomware"
31tactics_and_techniques:
32  - "Free file host"
33detection_methods:
34  - "URL analysis"
35  - "Content analysis"
36id: "70840d00-c6e3-59ec-8dc5-8156e61abec6"