← Back to Explore
sublimehighRule
Link: Breely link masquerading as PDF
Detects messages containing a single Breely link that displays as a PDF file. Typically, redirects to a different destination for malicious purposes.
Detection Query
type.inbound
and length(filter(body.links, .href_url.domain.root_domain == "breely.com")) == 1
and any(body.links,
.href_url.domain.root_domain == "breely.com"
and strings.icontains(.display_text, ".pdf")
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Breely link masquerading as PDF"
description: "Detects messages containing a single Breely link that displays as a PDF file. Typically, redirects to a different destination for malicious purposes."
type: "rule"
severity: "high"
source: |
type.inbound
and length(filter(body.links, .href_url.domain.root_domain == "breely.com")) == 1
and any(body.links,
.href_url.domain.root_domain == "breely.com"
and strings.icontains(.display_text, ".pdf")
)
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
tactics_and_techniques:
- "Free subdomain host"
- "Social engineering"
detection_methods:
- "Content analysis"
- "URL analysis"
id: "4a498c21-2f8a-5b54-84f5-c3c4ad3ee8e9"