← Back to Explore
sublimemediumRule
Link: IPFS
Detects messages containing links that have 'ipfs' in the domain, or unanalyzed links that contain 'ipfs' in the url. IPFS has been recently observed hosting phishing sites.
Detection Query
type.inbound
and any(body.links,
// Any body link domains contain "ipfs"
(
strings.icontains(.href_url.domain.domain, "ipfs")
and not .href_url.domain.root_domain == "ipfs.com"
)
// Or the path contains ipfs anchored to a leading and trailing '-', '/', '.'
or (
regex.icontains(.href_url.query_params, '[\.-/]ipfs[\.-/]')
and .href_url.domain.domain not in $org_domains
and (
(
// don't include high rep domains
.href_url.domain.domain not in $tranco_1m
and .href_url.domain.domain not in $umbrella_1m
)
// if it's in Tranco or Umbrella, still include it if it's one of these
or .href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
)
)
)
// adding negation block for legitimate domains with ipfs in their name
and not sender.email.domain.domain in ("shipfsl.com")
// negate ipfs.com issues
and not any(recipients.to, .email.domain.domain == "ipfs.com")
and not (
sender.email.domain.root_domain is not null
and sender.email.domain.root_domain == "ipfs.com"
and headers.auth_summary.dmarc.pass
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Raw Content
name: "Link: IPFS"
description: "Detects messages containing links that have 'ipfs' in the domain, or unanalyzed links that contain 'ipfs' in the url. IPFS has been recently observed hosting phishing sites."
references:
- "https://securelist.com/ipfs-phishing/109158/"
- "https://docs.ipfs.tech/how-to/address-ipfs-on-web/"
type: "rule"
severity: "medium"
source: |
type.inbound
and any(body.links,
// Any body link domains contain "ipfs"
(
strings.icontains(.href_url.domain.domain, "ipfs")
and not .href_url.domain.root_domain == "ipfs.com"
)
// Or the path contains ipfs anchored to a leading and trailing '-', '/', '.'
or (
regex.icontains(.href_url.query_params, '[\.-/]ipfs[\.-/]')
and .href_url.domain.domain not in $org_domains
and (
(
// don't include high rep domains
.href_url.domain.domain not in $tranco_1m
and .href_url.domain.domain not in $umbrella_1m
)
// if it's in Tranco or Umbrella, still include it if it's one of these
or .href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
)
)
)
// adding negation block for legitimate domains with ipfs in their name
and not sender.email.domain.domain in ("shipfsl.com")
// negate ipfs.com issues
and not any(recipients.to, .email.domain.domain == "ipfs.com")
and not (
sender.email.domain.root_domain is not null
and sender.email.domain.root_domain == "ipfs.com"
and headers.auth_summary.dmarc.pass
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Free file host"
- "Free subdomain host"
- "IPFS"
detection_methods:
- "Sender analysis"
- "URL analysis"
id: "19fa6442-83b9-5479-ba04-61906b595929"