Spam: Campaign with excessive space/char obfuscation and free file hosted link
This rule detects mass spam campaigns using excessive space padding with links utilizing free file hosting.
Sublime rule (View on GitHub)
1name: "Spam: Campaign with excessive space/char obfuscation and free file hosted link"
2description: |
3 This rule detects mass spam campaigns using excessive space padding with
4 links utilizing free file hosting.
5references:
6 - "https://playground.sublimesecurity.com?id=a340c08c-a1d9-41a9-96f8-6d1fe888cb5b"
7type: "rule"
8severity: "low"
9source: |
10 type.inbound
11 and length(attachments) == 0
12 and regex.icontains(coalesce(body.html.inner_text, body.html.display_text),
13 '([a-zA-Z\d\.]\s){30,}'
14 )
15 and any(body.links,
16 .href_url.domain.domain in $free_file_hosts
17 or .href_url.domain.root_domain in $free_file_hosts
18 )
19 and (
20 profile.by_sender().prevalence in ("new", "outlier")
21 or profile.by_sender().any_messages_malicious_or_spam
22 or sender.email.domain.valid == false
23 )
24
25 and not profile.by_sender().any_false_positives
26attack_types:
27 - "Spam"
28tactics_and_techniques:
29 - "Free file host"
30detection_methods:
31 - "Content analysis"
32 - "Sender analysis"
33id: "122bc0ca-4f9c-5403-9b4e-7e9d47b92ef2"