sublimelowRule

Spam: Campaign with excessive space/char obfuscation and free file hosted link

This rule detects mass spam campaigns using excessive space padding with links utilizing free file hosting.

MITRE ATT&CK

Detection Query

type.inbound
and length(attachments) == 0
and regex.icontains(coalesce(body.html.inner_text, body.html.display_text),
                    '([a-zA-Z\d\.]\s){30,}'
)
and any(body.links,
        .href_url.domain.domain in $free_file_hosts
        or .href_url.domain.root_domain in $free_file_hosts
)
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or profile.by_sender().any_messages_malicious_or_spam
  or sender.email.domain.valid == false
)
and not profile.by_sender().any_messages_benign

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

References

https://playground.sublimesecurity.com?id=a340c08c-a1d9-41a9-96f8-6d1fe888cb5b

Raw Content

name: "Spam: Campaign with excessive space/char obfuscation and free file hosted link"
description: |
  This rule detects mass spam campaigns using excessive space padding with
  links utilizing free file hosting.
references:
  - "https://playground.sublimesecurity.com?id=a340c08c-a1d9-41a9-96f8-6d1fe888cb5b"
type: "rule"
severity: "low"
source: |
  type.inbound
  and length(attachments) == 0
  and regex.icontains(coalesce(body.html.inner_text, body.html.display_text),
                      '([a-zA-Z\d\.]\s){30,}'
  )
  and any(body.links,
          .href_url.domain.domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_file_hosts
  )
  and (
    profile.by_sender().prevalence in ("new", "outlier")
    or profile.by_sender().any_messages_malicious_or_spam
    or sender.email.domain.valid == false
  )
  and not profile.by_sender().any_messages_benign
attack_types:
  - "Spam"
tactics_and_techniques:
  - "Free file host"
detection_methods:
  - "Content analysis"
  - "Sender analysis"
id: "122bc0ca-4f9c-5403-9b4e-7e9d47b92ef2"