URLhaus: Malicious domain in message body or pdf attachment (trusted reporters)
Detects URLhaus domains submitted by trusted reporters in message bodies or pdf attachments
Sublime rule (View on GitHub)
1name: "URLhaus: Malicious domain in message body or pdf attachment (trusted reporters)"
2description: "Detects URLhaus domains submitted by trusted reporters in message bodies or pdf attachments"
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 any(body.links,
9 // filter potentially known good domains
10 // prevents FPs on entries such as drive[.]google[.]com, or
11 // other accidental pushes to the List
12
13 .href_url.domain.domain not in $free_file_hosts
14 and .href_url.domain.root_domain not in $free_file_hosts
15 and .href_url.domain.domain not in $tranco_1m
16 and .href_url.domain.domain not in $umbrella_1m
17
18 // this ensures we don't flag on legit FQDNs that
19 // aren't in the Tranco 1M, but their root domains are
20 // eg: support[.]google[.]com
21 and .href_url.domain.root_domain not in $tranco_1m
22 and .href_url.domain.root_domain not in $umbrella_1m
23 and .href_url.domain.root_domain not in $free_subdomain_hosts
24 and .href_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
25 )
26 or any(attachments,
27 .file_type == "pdf"
28 and any(file.explode(.),
29 any(.scan.pdf.urls,
30 // filter potentially known good domains
31 // prevents FPs on entries such as drive[.]google[.]com, or
32 // other accidental pushes to the List
33 .domain.domain not in $free_file_hosts
34 and .domain.root_domain not in $free_file_hosts
35 and .domain.domain not in $free_subdomain_hosts
36 and .domain.domain not in $tranco_1m
37 and .domain.domain not in $umbrella_1m
38
39 // this ensures we don't flag on legit FQDNs that
40 // aren't in the Tranco 1M, but their root domains are
41 // eg: support[.]google[.]com
42 and .domain.root_domain not in $tranco_1m
43 and .domain.root_domain not in $umbrella_1m
44 and .domain.domain in $abuse_ch_urlhaus_domains_trusted_reporters
45 )
46 )
47 )
48 )
49
50
51tags:
52 - "Abusech: URLhaus"
53attack_types:
54 - "Credential Phishing"
55 - "Malware/Ransomware"
56tactics_and_techniques:
57 - "PDF"
58detection_methods:
59 - "File analysis"
60 - "Threat intelligence"
61 - "URL analysis"
62id: "cfca2986-0daa-582c-a379-fb0a31329847"