Notion suspicious file share
Message contains a notion link that contains suspicious terms. You may need to deactivate or fork this rule if your organization uses Notion.
Sublime rule (View on GitHub)
1name: "Notion suspicious file share"
2description: |
3 Message contains a notion link that contains suspicious terms. You
4 may need to deactivate or fork this rule if your organization uses
5 Notion.
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and any(body.links,
11 .href_url.domain.root_domain =~ 'notion.so'
12 and (
13 strings.ilike(.href_url.url,
14 '*shared*',
15 '*document*',
16 '*secure*',
17 '*office*',
18 '*important*',
19 '*wants-to*',
20 '*share*',
21 '*statement*'
22 )
23 or strings.ilike(.display_url.url,
24 '*shared*',
25 '*document*',
26 '*secure*',
27 '*office*',
28 '*important*',
29 '*wants-to*',
30 '*share*',
31 '*statement*'
32 )
33 or strings.ilike(.display_text,
34 '*shared*',
35 '*document*',
36 '*secure*',
37 '*office*',
38 '*important*',
39 '*wants-to*',
40 '*share*',
41 '*statement*'
42 )
43 )
44 )
45 and sender.email.domain.domain != 'mail.notion.so'
46
47 // first-time sender
48 and (
49 (
50 sender.email.domain.root_domain in $free_email_providers
51 and sender.email.email not in $sender_emails
52 )
53 or (
54 sender.email.domain.root_domain not in $free_email_providers
55 and sender.email.domain.domain not in $sender_domains
56 )
57 )
58attack_types:
59 - "Credential Phishing"
60 - "Malware/Ransomware"
61tactics_and_techniques:
62 - "Evasion"
63 - "Free file host"
64detection_methods:
65 - "Content analysis"
66 - "Sender analysis"
67 - "URL analysis"
68id: "f7307929-bbfd-58b6-81e4-afff7610cff2"