Link: Multistage Landing - Abused Adobe frame.io
The detection rule matches on message groups which make use of Adobe's frame.io as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a well-known domain, seen in evasion tactics.
Sublime rule (View on GitHub)
1name: "Link: Multistage Landing - Abused Adobe frame.io"
2description: "The detection rule matches on message groups which make use of Adobe's frame.io as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a well-known domain, seen in evasion tactics."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and sender.email.domain.domain == "frame.io"
8 // these messages contain no email address of the actual sender
9 // so sender profile won't be interesting
10 // however the subject and sender display names do contain the name of the frame.io account
11 // which sent the share
12
13 // negate where internal employees might have sent the message
14 and not any($org_display_names, strings.istarts_with(subject.subject, .))
15
16 // limiting scope to just "shares" in subject
17 and strings.icontains(subject.subject, ' shared ')
18
19 // the subject contains the name of the file that has been shared
20 // the body does not contain the name shared depending on how it's shared,
21 // let us use the suspicious file shares from sharepoint here
22 // https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/link_sharepoint_sus_name.yml
23 and (
24 (
25 // file sharing service references
26 strings.icontains(subject.subject, 'dropbox')
27 or strings.icontains(subject.subject, 'docusign')
28
29 // file name lures
30 // secure theme
31 or regex.icontains(subject.subject, 'secured?.*(?:file|document|docs|fax)')
32 or regex.icontains(subject.subject, 'important.*(?:file|document|docs|fax)')
33 or regex.icontains(subject.subject, 'shared?.*(?:file|document|docs|fax)')
34 or regex.icontains(subject.subject, 'protected.*(?:file|document|docs|fax)')
35 or regex.icontains(subject.subject, 'encrypted.*(?:file|document|docs|fax)')
36
37 // scanner theme
38 or strings.icontains(subject.subject, 'scanne[rd]_')
39 // image themed
40 or strings.icontains(subject.subject, '_IMG_')
41 or regex.icontains(subject.subject, '^IMG[_-](?:\d|\W)+$')
42
43 // digits
44 or regex.icontains(subject.subject, 'doc(?:ument)?\s?\d+$')
45 or regex.icontains(subject.subject, '^\d+$')
46
47 // onedrive theme
48 or strings.icontains(subject.subject, 'one_docx')
49 or strings.icontains(subject.subject, 'OneDrive')
50 or regex.icontains(subject.subject, 'A document.*One.?Drive')
51
52 // action in file name
53 or strings.icontains(subject.subject, 'click here')
54 or strings.icontains(subject.subject, 'Download PDF')
55 or strings.icontains(subject.subject, 'Validate')
56
57 // limited file name to "confidential"
58 or subject.subject =~ 'Confidentiality'
59 or subject.subject =~ 'Confidential'
60
61 // invoice themes
62 or any(ml.nlu_classifier(subject.subject).entities, .name == "financial")
63 or strings.icontains(subject.subject, 'payment')
64 or strings.icontains(subject.subject, 'invoice')
65 or regex.icontains(subject.subject, 'INV(?:_|\s)?\d+$')
66 // starts with INV_ or INV\x20
67 or regex.icontains(subject.subject, '^INV(?:_|\s)')
68 or regex.icontains(subject.subject, 'P[O0]\W+?\d+$')
69 or strings.icontains(subject.subject, 'receipt')
70 or strings.icontains(subject.subject, 'billing')
71 or (
72 strings.icontains(subject.subject, 'statement')
73 and not subject.subject =~ "Privacy Statement"
74 )
75 or strings.icontains(subject.subject, 'Past Due')
76 or regex.icontains(subject.subject, 'Remit(tance)?')
77 or strings.icontains(subject.subject, 'Purchase Order')
78
79 // contract language
80 or strings.icontains(subject.subject, 'settlement')
81 or strings.icontains(subject.subject, 'contract agreement')
82 or regex.icontains(subject.subject, 'Pr[0o]p[0o]sal')
83 or strings.icontains(subject.subject, 'contract doc')
84 )
85 or any(filter(body.links,
86 .href_url.domain.root_domain == "frame.io"
87 and (
88 strings.starts_with(.href_url.path, '/reviews/')
89 or strings.starts_with(.href_url.path, '/presentations/')
90 )
91 ),
92 // when visiting the page on frame.io, the links contain
93 // indications of being suspicious
94 any(filter(ml.link_analysis(.).final_dom.links,
95 // remove links that are within frame.io or their default page
96 .href_url.domain.root_domain not in (
97 'frame.io',
98 'f.io',
99 'onetrust.com'
100 )
101 ),
102 (
103 // any of those links domains are new
104 network.whois(.href_url.domain).days_old < 30
105
106 // go to free file hosts
107 or .href_url.domain.root_domain in $free_file_hosts
108 or .href_url.domain.domain in $free_file_hosts
109
110 // go to free subdomains hosts
111 or (
112 .href_url.domain.root_domain in $free_subdomain_hosts
113 // where there is a subdomain
114 and .href_url.domain.subdomain is not null
115 and .href_url.domain.subdomain != "www"
116 )
117 // go to url shortners
118 or .href_url.domain.root_domain in $url_shorteners
119 or .href_url.domain.domain in $url_shorteners
120 or (
121 // find any links that mention common "action" words
122 regex.icontains(subject.subject,
123 '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
124 )
125 and (
126 // and when visiting those links, are phishing
127 ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
128
129 // hit a captcha page
130 or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
131
132 // or the page redirects to common website, observed when evasion happens
133 or (
134 length(ml.link_analysis(., mode="aggressive").redirect_history
135 ) > 0
136 and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
137 )
138 )
139 )
140 )
141 )
142
143 // or search for QR codes in the screenshot of the frame.io page
144 or any(file.explode(ml.link_analysis(.).screenshot),
145 .depth == 0
146 and (
147 (
148 .scan.qr.type == "url"
149 and .scan.qr.url.domain.root_domain not in (
150 'frame.io',
151 'f.io',
152 'onetrust.com'
153 )
154 )
155 // some samples have a pdf uploaded that contains a Sharepoint File Share lure.
156 // we can use ocr to detect this
157 or strings.icontains(.scan.ocr.raw,
158 'This email contains a secure link to sharepoint'
159 )
160 )
161 )
162 )
163 )
164attack_types:
165 - "Credential Phishing"
166tactics_and_techniques:
167 - "Evasion"
168 - "Free file host"
169detection_methods:
170 - "Content analysis"
171 - "Whois"
172 - "Computer Vision"
173 - "URL analysis"
174 - "HTML analysis"
175id: "a6c457c5-b171-52c7-9a44-fee65fb89aef"