Spam: Link to blob.core.windows.net from new domain (<30d)

calendar May 21, 2024  ·
Share on: linkedin copy

This rule detects messages containing a link to blob.core.windows.net from a sender domain less than 30 days old. There is a single recipient present, but the recipient is a random email address, and not someone at the organization.

Sublime rule (View on GitHub)

 1name: "Spam: Link to blob.core.windows.net from new domain (<30d)"
 2description: "This rule detects messages containing a link to blob.core.windows.net from a sender domain less than 30 days old. There is a single recipient present, but the recipient is a random email address, and not someone at the organization."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(recipients.to) == 1
 8  and any(recipients.to, .email.domain.root_domain not in $org_domains)
 9  and network.whois(sender.email.domain).days_old < 30
10  and length(body.links) < 3
11  and any(body.links,
12          strings.ends_with(.href_url.domain.subdomain, "blob.core")
13          and .href_url.domain.root_domain == "windows.net"
14  )
15  and (
16    not profile.by_sender().solicited
17    or (
18      profile.by_sender().any_messages_malicious_or_spam
19      and not profile.by_sender().any_false_positives
20    )
21  )
22  and not profile.by_sender().any_false_positives  
23
24attack_types:
25  - "Spam"
26tactics_and_techniques:
27  - "Free subdomain host"
28detection_methods:
29  - "Header analysis"
30  - "URL analysis"
31  - "Sender analysis"
32id: "a09b3800-50b6-5ea9-b96e-367b6c8b5125"
to-top