← Back to Explore
sublimehighRule
Attachment: Calendar invite with suspicious link leading to an open redirect
Calendar invite contains a link to either a free file host or free subdomain host, and the resulting webpage contains another link to an open redirect.
MITRE ATT&CK
Detection Query
type.inbound
and any(attachments,
(
.file_extension == "ics"
or .content_type in ("application/ics", "text/calendar")
)
and any(file.explode(.),
any(.scan.url.urls,
(
.domain.domain in $free_file_hosts
or (
.domain.root_domain in $free_subdomain_hosts
and .domain.subdomain is not null
and not (
strings.ends_with(.url, "jpeg")
or strings.ends_with(.url, "png")
)
and .domain.subdomain != "www"
)
)
and any(ml.link_analysis(.).final_dom.links,
any(.href_url.rewrite.encoders,
strings.icontains(., "open_redirect")
)
)
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: Calendar invite with suspicious link leading to an open redirect"
description: "Calendar invite contains a link to either a free file host or free subdomain host, and the resulting webpage contains another link to an open redirect."
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
(
.file_extension == "ics"
or .content_type in ("application/ics", "text/calendar")
)
and any(file.explode(.),
any(.scan.url.urls,
(
.domain.domain in $free_file_hosts
or (
.domain.root_domain in $free_subdomain_hosts
and .domain.subdomain is not null
and not (
strings.ends_with(.url, "jpeg")
or strings.ends_with(.url, "png")
)
and .domain.subdomain != "www"
)
)
and any(ml.link_analysis(.).final_dom.links,
any(.href_url.rewrite.encoders,
strings.icontains(., "open_redirect")
)
)
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
attack_types:
- "Spam"
tactics_and_techniques:
- "Free email provider"
- "Free file host"
- "Free subdomain host"
- "Open redirect"
detection_methods:
- "Content analysis"
- "URL analysis"
id: "5d6294c7-0b75-5722-851e-27015170bd42"