← Back to Explore
sublimemediumRule
Service abuse: Behance document sharing with suspicious language
Detects messages containing document sharing language with a single Behance gallery link, potentially indicating abuse of the legitimate Adobe Behance platform for malicious purposes.
Detection Query
type.inbound
and length(body.current_thread.text) < 10000
and strings.ilike(body.current_thread.text,
"*proposal*",
"*specified link*",
"*secure*"
)
and length(filter(body.current_thread.links,
.href_url.domain.root_domain == 'behance.net'
and strings.icontains(.href_url.path, '/gallery/')
and .display_url.domain.root_domain == 'behance.net'
and strings.icontains(.display_url.path, '/gallery/')
)
) == 1
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Service abuse: Behance document sharing with suspicious language"
description: "Detects messages containing document sharing language with a single Behance gallery link, potentially indicating abuse of the legitimate Adobe Behance platform for malicious purposes."
type: "rule"
severity: "medium"
source: |
type.inbound
and length(body.current_thread.text) < 10000
and strings.ilike(body.current_thread.text,
"*proposal*",
"*specified link*",
"*secure*"
)
and length(filter(body.current_thread.links,
.href_url.domain.root_domain == 'behance.net'
and strings.icontains(.href_url.path, '/gallery/')
and .display_url.domain.root_domain == 'behance.net'
and strings.icontains(.display_url.path, '/gallery/')
)
) == 1
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Free file host"
- "Social engineering"
detection_methods:
- "Content analysis"
- "URL analysis"
id: "7cd9666f-29fc-5390-9053-08537ef83051"