URLhaus: Malicious domain in message body or pdf attachment (trusted reporters)

calendar Aug 21, 2023 · Abusech: URLhaus  ·
Share on: linkedin copy

Detects URLhaus domains submitted by trusted reporters in message bodies or pdf attachments

Sublime rule (View on GitHub)

 1name: "URLhaus: Malicious domain in message body or pdf attachment (trusted reporters)"
 2description: "Detects URLhaus domains submitted by trusted reporters in message bodies or pdf attachments"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    any(body.links,
 9        // filter potentially known good domains
10        // prevents FPs on entries such as drive[.]google[.]com, or
11        // other accidental pushes to the List
12        .href_url.domain.domain not in $free_file_hosts
13        and .href_url.domain.domain not in $tranco_1m
14        and .href_url.domain.domain not in $umbrella_1m
15        and 
16
17        // this ensures we don't flag on legit FQDNs that
18        // aren't in the Tranco 1M, but their root domains are
19        // eg: support[.]google[.]com
20        .href_url.domain.root_domain not in $tranco_1m
21        and .href_url.domain.root_domain not in $umbrella_1m
22        and .href_url.domain.root_domain not in $free_subdomain_hosts
23        and .href_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
24    )
25    or any(attachments,
26           .file_type == "pdf"
27           and any(file.explode(.),
28                   any(.scan.pdf.urls,
29                       // filter potentially known good domains
30                       // prevents FPs on entries such as drive[.]google[.]com, or
31                       // other accidental pushes to the List
32                       .domain.domain not in $free_file_hosts
33                       and .domain.domain not in $free_subdomain_hosts
34                       and .domain.domain not in $tranco_1m
35                       and .domain.domain not in $umbrella_1m
36                       and 
37
38                       // this ensures we don't flag on legit FQDNs that
39                       // aren't in the Tranco 1M, but their root domains are
40                       // eg: support[.]google[.]com
41                       .domain.root_domain not in $tranco_1m
42                       and .domain.root_domain not in $umbrella_1m
43                       and .domain.domain in $abuse_ch_urlhaus_domains_trusted_reporters
44                   )
45           )
46    )
47  )  
48tags:
49  - "Abusech: URLhaus"
50attack_types:
51  - "Credential Phishing"
52  - "Malware/Ransomware"
53tactics_and_techniques:
54  - "PDF"
55detection_methods:
56  - "File analysis"
57  - "Threat intelligence"
58  - "URL analysis"
59id: "cfca2986-0daa-582c-a379-fb0a31329847"
to-top