Link: .onion From Unsolicited Sender
Detects messages containing .onion (Tor network) links from unsolicited senders that either lack proper DMARC authentication or are not from trusted domains.
Sublime rule (View on GitHub)
1name: "Link: .onion From Unsolicited Sender"
2description: "Detects messages containing .onion (Tor network) links from unsolicited senders that either lack proper DMARC authentication or are not from trusted domains."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 and any(body.links, .href_url.domain.tld == "onion")
8 and not profile.by_sender_email().solicited
9 // and the sender is not from high trust sender root domains
10 and (
11 (
12 sender.email.domain.root_domain in $high_trust_sender_root_domains
13 and not headers.auth_summary.dmarc.pass
14 )
15 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
16 )
17tags:
18 - "Attack surface reduction"
19attack_types:
20 - "Malware/Ransomware"
21 - "Credential Phishing"
22tactics_and_techniques:
23 - "Evasion"
24 - "Social engineering"
25detection_methods:
26 - "URL analysis"
27 - "Header analysis"
28 - "Sender analysis"
29id: "9ac0fc83-4c18-5a62-83e0-8fd0af9cffe0"