Notion suspicious file share
Message contains a notion link that contains suspicious terms. You may need to deactivate or fork this rule if your organization uses Notion.
Sublime rule (View on GitHub)
1name: "Notion suspicious file share"
2description: |
3 Message contains a notion link that contains suspicious terms. You
4 may need to deactivate or fork this rule if your organization uses
5 Notion.
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and any(body.links,
11 .href_url.domain.root_domain =~ 'notion.so'
12 and (
13 strings.ilike(.href_url.url,
14 '*shared*',
15 '*document*',
16 '*secure*',
17 '*office*',
18 '*important*',
19 '*wants-to*',
20 '*share*',
21 '*statement*'
22 )
23 or strings.ilike(.display_url.url,
24 '*shared*',
25 '*document*',
26 '*secure*',
27 '*office*',
28 '*important*',
29 '*wants-to*',
30 '*share*',
31 '*statement*'
32 )
33 or strings.ilike(.display_text,
34 '*shared*',
35 '*document*',
36 '*secure*',
37 '*office*',
38 '*important*',
39 '*wants-to*',
40 '*share*',
41 '*statement*'
42 )
43 )
44 )
45 and sender.email.domain.domain != 'mail.notion.so'
46 and (
47 profile.by_sender().prevalence in ("new", "outlier")
48 or (
49 profile.by_sender().any_messages_malicious_or_spam
50 and not profile.by_sender().any_false_positives
51 )
52 )
53tags:
54 - "Attack surface reduction"
55attack_types:
56 - "Credential Phishing"
57 - "Malware/Ransomware"
58tactics_and_techniques:
59 - "Evasion"
60 - "Free file host"
61detection_methods:
62 - "Content analysis"
63 - "Sender analysis"
64 - "URL analysis"
65id: "f7307929-bbfd-58b6-81e4-afff7610cff2"