Link: Direct link to limewire hosted file
Message contains exactly one link to limewire.com domain with fewer than 10 total links in the body.
Sublime rule (View on GitHub)
1name: "Link: Direct link to limewire hosted file"
2description: "Message contains exactly one link to limewire.com domain with fewer than 10 total links in the body."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 // there are few links
8 and length(body.links) < 10
9 // contains a link to limewire
10 and any(body.links, .href_url.domain.domain == "limewire.com")
11 // is the only link to limewire
12 and length(filter(body.links,
13 .href_url.domain.root_domain == "limewire.com"
14 and strings.istarts_with(.href_url.path, "/d/")
15 )
16 ) == 1
17 and not length(body.previous_threads) > 0
18 // negate highly trusted sender domains unless they fail DMARC authentication
19 and (
20 (
21 sender.email.domain.root_domain in $high_trust_sender_root_domains
22 and not headers.auth_summary.dmarc.pass
23 )
24 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
25 )
26 and not profile.by_sender_email().any_messages_benign
27tags:
28 - "Attack surface reduction"
29attack_types:
30 - "Malware/Ransomware"
31tactics_and_techniques:
32 - "Free file host"
33detection_methods:
34 - "URL analysis"
35 - "Content analysis"
36id: "70840d00-c6e3-59ec-8dc5-8156e61abec6"