Link: Apple TestFlight from free email provider

 1name: "Link: Apple TestFlight from free email provider"
 2description: "Detects messages containing links to Apple TestFlight domains sent from free email providers, indicating potential service abuse of Apple's beta testing service."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          .href_url.domain.domain in ('testflight.apple.com')
 9          or (
10            .href_url.domain.root_domain == "mimecastprotect.com"
11            and any(.href_url.query_params_decoded['domain'],
12                    . in ("testflight.apple.com")
13            )
14          )
15  )
16  and not (
17    (subject.is_forward or subject.is_reply)
18    and (length(headers.references) != 0 or headers.in_reply_to is not null)
19    and length(body.previous_threads) > 0
20  )
21  and (
22    sender.email.domain.domain in $free_email_providers
23    or beta.profile.by_reply_to().solicited == false
24    or (
25      beta.profile.by_reply_to().any_messages_malicious_or_spam
26      and not beta.profile.by_reply_to().any_messages_benign
27    )
28  )  
29
30tags:
31 - "Attack surface reduction"
32attack_types:
33  - "Credential Phishing"
34tactics_and_techniques:
35  - "Free email provider"
36  - "Evasion"
37detection_methods:
38  - "Sender analysis"
39  - "URL analysis"
40id: "9b447f1f-4091-517d-a2b8-2a869aa46301"