Service abuse: SendThisFile with credential theft and financial language

calendar Oct 27, 2025  ยท
Share on: linkedin copy

Detects messages from sendthisfile.com containing credential theft language combined with financial communications topics.

Sublime rule (View on GitHub)

 1name: "Service abuse: SendThisFile with credential theft and financial language"
 2description: "Detects messages from sendthisfile.com containing credential theft language combined with financial communications topics."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain == "sendthisfile.com"
 8  and any(ml.nlu_classifier(body.current_thread.text).intents,
 9          .name == "cred_theft" and .confidence != "low"
10  )
11  and any(ml.nlu_classifier(body.current_thread.text).topics,
12          .name == "Financial Communications" and .confidence != "low"
13  )
14  // not a reply or forward
15  and (headers.in_reply_to is null or length(headers.references) == 0)  
16
17attack_types:
18  - "BEC/Fraud"
19  - "Credential Phishing"
20tactics_and_techniques:
21  - "Free file host"
22  - "Social engineering"
23detection_methods:
24  - "Content analysis"
25  - "Natural Language Understanding"
26  - "Sender analysis"
27id: "c1ebf25b-0707-504f-b041-e7c27dfa9f05"
to-top