Spam: Campaign with excessive space/char obfuscation and free file hosted link

calendar Nov 18, 2023  ยท
Share on: linkedin copy

This rule detects mass spam campaigns using excessive space padding with links utilizing free file hosting.

Sublime rule (View on GitHub)

 1name: "Spam: Campaign with excessive space/char obfuscation and free file hosted link"
 2description: |
 3  This rule detects mass spam campaigns using excessive space padding with
 4  links utilizing free file hosting.  
 5references:
 6  - "https://playground.sublimesecurity.com?id=a340c08c-a1d9-41a9-96f8-6d1fe888cb5b"
 7type: "rule"
 8severity: "low"
 9source: |
10  type.inbound
11  and length(attachments) == 0
12  and regex.icontains(coalesce(body.html.inner_text, body.html.display_text),
13                      '([a-zA-Z\d\.]\s){30,}'
14  )
15  and any(body.links,
16          .href_url.domain.domain in $free_file_hosts
17          or .href_url.domain.root_domain in $free_file_hosts
18  )
19  and (
20    profile.by_sender().prevalence in ("new", "outlier")
21    or profile.by_sender().any_messages_malicious_or_spam
22    or sender.email.domain.valid == false
23  )
24  
25  and not profile.by_sender().any_false_positives  
26attack_types:
27  - "Spam"
28tactics_and_techniques:
29  - "Free file host"
30detection_methods:
31  - "Content analysis"
32  - "Sender analysis"
33id: "122bc0ca-4f9c-5403-9b4e-7e9d47b92ef2"
to-top