URLhaus: Malicious domain in message body or pdf attachment (trusted reporters)

calendar Nov 18, 2023 · Abusech: URLhaus  ·
Share on: linkedin copy

Detects URLhaus domains submitted by trusted reporters in message bodies or pdf attachments

Sublime rule (View on GitHub)

 1name: "URLhaus: Malicious domain in message body or pdf attachment (trusted reporters)"
 2description: "Detects URLhaus domains submitted by trusted reporters in message bodies or pdf attachments"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    any(body.links,
 9        // filter potentially known good domains
10        // prevents FPs on entries such as drive[.]google[.]com, or
11        // other accidental pushes to the List
12      
13        .href_url.domain.domain not in $free_file_hosts
14        and .href_url.domain.root_domain not in $free_file_hosts
15        and .href_url.domain.domain not in $tranco_1m
16        and .href_url.domain.domain not in $umbrella_1m
17  
18        // this ensures we don't flag on legit FQDNs that
19        // aren't in the Tranco 1M, but their root domains are
20        // eg: support[.]google[.]com
21        and .href_url.domain.root_domain not in $tranco_1m
22        and .href_url.domain.root_domain not in $umbrella_1m
23        and .href_url.domain.root_domain not in $free_subdomain_hosts
24        and .href_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
25    )
26    or any(attachments,
27          .file_type == "pdf"
28          and any(file.explode(.),
29                  any(.scan.pdf.urls,
30                      // filter potentially known good domains
31                      // prevents FPs on entries such as drive[.]google[.]com, or
32                      // other accidental pushes to the List
33                      .domain.domain not in $free_file_hosts
34                      and .domain.root_domain not in $free_file_hosts
35                      and .domain.domain not in $free_subdomain_hosts
36                      and .domain.domain not in $tranco_1m
37                      and .domain.domain not in $umbrella_1m
38  
39                      // this ensures we don't flag on legit FQDNs that
40                      // aren't in the Tranco 1M, but their root domains are
41                      // eg: support[.]google[.]com
42                      and .domain.root_domain not in $tranco_1m
43                      and .domain.root_domain not in $umbrella_1m
44                      and .domain.domain in $abuse_ch_urlhaus_domains_trusted_reporters
45                  )
46          )
47    )
48  )  
49
50
51tags:
52  - "Abusech: URLhaus"
53attack_types:
54  - "Credential Phishing"
55  - "Malware/Ransomware"
56tactics_and_techniques:
57  - "PDF"
58detection_methods:
59  - "File analysis"
60  - "Threat intelligence"
61  - "URL analysis"
62id: "cfca2986-0daa-582c-a379-fb0a31329847"
to-top