← Back to Explore
sublimemediumRule
Link: Direct link to gamma.app document with mode parameter
Detects URLs linking to Gamma App presentation or document mode, which has been used to host malicious content due to its trusted domain status and presentation capabilities.
Detection Query
type.inbound
and length(body.links) < 10
and any(body.links,
(
.href_url.domain.root_domain == "gamma.app"
or strings.icontains(.href_url.query_params, 'gamma.app')
or strings.icontains(.href_url.query_params, 'gamma%2eapp')
or strings.icontains(.href_url.query_params, 'gamma%252eapp')
)
and regex.icontains(.href_url.query_params, 'mode=(present|doc)')
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Link: Direct link to gamma.app document with mode parameter"
description: "Detects URLs linking to Gamma App presentation or document mode, which has been used to host malicious content due to its trusted domain status and presentation capabilities."
type: "rule"
severity: "medium"
source: |
type.inbound
and length(body.links) < 10
and any(body.links,
(
.href_url.domain.root_domain == "gamma.app"
or strings.icontains(.href_url.query_params, 'gamma.app')
or strings.icontains(.href_url.query_params, 'gamma%2eapp')
or strings.icontains(.href_url.query_params, 'gamma%252eapp')
)
and regex.icontains(.href_url.query_params, 'mode=(present|doc)')
)
tags:
- "Attack surface reduction"
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Free file host"
- "Evasion"
detection_methods:
- "URL analysis"
id: "080ab581-e6ab-5c82-927b-e57f3080f27a"