← Back to Explore
sublimemediumRule
File sharing link from suspicious sender domain
A file sharing link in the body sent from a suspicious sender domain.
Detection Query
type.inbound
and any(body.links,
(
.href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_file_hosts
)
and not .href_url.domain.domain in $tenant_domains
// remove free_file_hosts used to host images as links
and not any($file_types_images,
strings.iends_with(..href_url.url, strings.concat('.', .))
)
)
and sender.email.domain.tld in $suspicious_tlds
and not sender.email.domain.root_domain in ("notion.so", "cribl.cloud")
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "File sharing link from suspicious sender domain"
description: |
A file sharing link in the body sent from a suspicious sender domain.
type: "rule"
severity: "medium"
source: |
type.inbound
and any(body.links,
(
.href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_file_hosts
)
and not .href_url.domain.domain in $tenant_domains
// remove free_file_hosts used to host images as links
and not any($file_types_images,
strings.iends_with(..href_url.url, strings.concat('.', .))
)
)
and sender.email.domain.tld in $suspicious_tlds
and not sender.email.domain.root_domain in ("notion.so", "cribl.cloud")
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
tags:
- "Attack surface reduction"
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Free file host"
detection_methods:
- "Sender analysis"
- "URL analysis"
id: "95f20354-3091-537e-9fe0-80ea8b64913b"