Link: Multistage Landing - Abused Adobe frame.io
The detection rule matches on message groups which make use of Adobe's frame.io as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a well-known domain, seen in evasion tactics.
Sublime rule (View on GitHub)
1name: "Link: Multistage Landing - Abused Adobe frame.io"
2description: "The detection rule matches on message groups which make use of Adobe's frame.io as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a well-known domain, seen in evasion tactics."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and sender.email.domain.domain == "frame.io"
8 // these messages contain no email address of the actual sender
9 // so sender profile won't be interesting
10 // however the subject and sender display names do contain the name of the frame.io account
11 // which sent the share
12
13 // negate where internal employees might have sent the message
14 and not any($org_display_names, strings.istarts_with(subject.subject, .))
15
16 // the subject contains the name of the file that has been shared
17 // the body does not contain the name shared depending on how it's shared,
18 // let us use the suspicious file shares from sharepoint here
19 // https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/link_sharepoint_sus_name.yml
20 and (
21 (
22 // file sharing service references
23 strings.icontains(subject.subject, 'dropbox')
24 or strings.icontains(subject.subject, 'docusign')
25
26 // file name lures
27 // secure theme
28 or regex.icontains(subject.subject, 'secured?.*(?:file|document|docs|fax)')
29 or regex.icontains(subject.subject, 'important.*(?:file|document|docs|fax)')
30 or regex.icontains(subject.subject, 'shared?.*(?:file|document|docs|fax)')
31 or regex.icontains(subject.subject, 'protected.*(?:file|document|docs|fax)')
32 or regex.icontains(subject.subject, 'encrypted.*(?:file|document|docs|fax)')
33
34 // scanner theme
35 or strings.icontains(subject.subject, 'scanne[rd]_')
36 // image themed
37 or strings.icontains(subject.subject, '_IMG_')
38 or regex.icontains(subject.subject, '^IMG[_-](?:\d|\W)+$')
39
40 // digits
41 or regex.icontains(subject.subject, 'doc(?:ument)?\s?\d+$')
42 or regex.icontains(subject.subject, '^\d+$')
43
44 // onedrive theme
45 or strings.icontains(subject.subject, 'one_docx')
46 or strings.icontains(subject.subject, 'OneDrive')
47 or regex.icontains(subject.subject, 'A document.*One.?Drive')
48
49 // action in file name
50 or strings.icontains(subject.subject, 'click here')
51 or strings.icontains(subject.subject, 'Download PDF')
52 or strings.icontains(subject.subject, 'Validate')
53
54 // limited file name to "confidential"
55 or subject.subject =~ 'Confidentiality'
56 or subject.subject =~ 'Confidential'
57
58 // invoice themes
59 or any(ml.nlu_classifier(subject.subject).entities, .name == "financial")
60 or strings.icontains(subject.subject, 'payment')
61 or strings.icontains(subject.subject, 'invoice')
62 or regex.icontains(subject.subject, 'INV(?:_|\s)?\d+$')
63 // starts with INV_ or INV\x20
64 or regex.icontains(subject.subject, '^INV(?:_|\s)')
65 or regex.icontains(subject.subject, 'P[O0]\W+?\d+$')
66 or strings.icontains(subject.subject, 'receipt')
67 or strings.icontains(subject.subject, 'billing')
68 or (
69 strings.icontains(subject.subject, 'statement')
70 and not subject.subject =~ "Privacy Statement"
71 )
72 or strings.icontains(subject.subject, 'Past Due')
73 or regex.icontains(subject.subject, 'Remit(tance)?')
74 or strings.icontains(subject.subject, 'Purchase Order')
75
76 // contract language
77 or strings.icontains(subject.subject, 'settlement')
78 or strings.icontains(subject.subject, 'contract agreement')
79 or regex.icontains(subject.subject, 'Pr[0o]p[0o]sal')
80 or strings.icontains(subject.subject, 'contract doc')
81 )
82 or any(filter(body.links,
83 .href_url.domain.root_domain == "frame.io"
84 and (
85 strings.starts_with(.href_url.path, '/reviews/')
86 or strings.starts_with(.href_url.path, '/presentations/')
87 )
88 ),
89 // when visiting the page on frame.io, the links contain
90 // indications of being suspicious
91 any(filter(ml.link_analysis(.).final_dom.links,
92 // remove links that are within frame.io or their default page
93 .href_url.domain.root_domain not in (
94 'frame.io',
95 'f.io',
96 'onetrust.com'
97 )
98 ),
99 (
100 // any of those links domains are new
101 network.whois(.href_url.domain).days_old < 30
102
103 // go to free file hosts
104 or .href_url.domain.root_domain in $free_file_hosts
105 or .href_url.domain.domain in $free_file_hosts
106
107 // go to free subdomains hosts
108 or (
109 .href_url.domain.root_domain in $free_subdomain_hosts
110 // where there is a subdomain
111 and .href_url.domain.subdomain is not null
112 and .href_url.domain.subdomain != "www"
113 )
114 // go to url shortners
115 or .href_url.domain.root_domain in $url_shorteners
116 or .href_url.domain.domain in $url_shorteners
117 or (
118 // find any links that mention common "action" words
119 regex.icontains(subject.subject,
120 '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
121 )
122 and (
123 // and when visiting those links, are phishing
124 ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
125
126 // hit a captcha page
127 or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
128
129 // or the page redirects to common website, observed when evasion happens
130 or (
131 length(ml.link_analysis(., mode="aggressive").redirect_history
132 ) > 0
133 and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
134 )
135 )
136 )
137 )
138 )
139
140 // or search for QR codes in the screenshot of the frame.io page
141 or any(file.explode(ml.link_analysis(.).screenshot),
142 .depth == 0
143 and (
144 (
145 .scan.qr.type == "url"
146 and .scan.qr.url.domain.root_domain not in (
147 'frame.io',
148 'f.io',
149 'onetrust.com'
150 )
151 )
152 // some samples have a pdf uploaded that contains a Sharepoint File Share lure.
153 // we can use ocr to detect this
154 or strings.icontains(.scan.ocr.raw,
155 'This email contains a secure link to sharepoint'
156 )
157 )
158 )
159 )
160 )
161attack_types:
162 - "Credential Phishing"
163tactics_and_techniques:
164 - "Evasion"
165 - "Free file host"
166detection_methods:
167 - "Content analysis"
168 - "Whois"
169 - "Computer Vision"
170 - "URL analysis"
171 - "HTML analysis"
172id: "a6c457c5-b171-52c7-9a44-fee65fb89aef"