Link: Direct link to limewire hosted file

name: "Link: Direct link to limewire hosted file"
description: "Message contains exactly one link to limewire.com domain with fewer than 10 total links in the body."
type: "rule"
severity: "high"
source: |
  type.inbound
  // there are few links
  and length(body.links) < 10
  // contains a link to limewire
  and any(body.links, .href_url.domain.domain == "limewire.com")
  // is the only link to limewire
  and length(filter(body.links,
                    .href_url.domain.root_domain == "limewire.com"
                    and strings.istarts_with(.href_url.path, "/d/")
             )
  ) == 1
  and not length(body.previous_threads) > 0
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
  and not profile.by_sender_email().any_messages_benign
tags:
 - "Attack surface reduction"
attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Free file host"
detection_methods:
  - "URL analysis"
  - "Content analysis"
id: "70840d00-c6e3-59ec-8dc5-8156e61abec6"