sublimelowRule

Link: .onion From Unsolicited Sender

Detects messages containing .onion (Tor network) links from unsolicited senders that either lack proper DMARC authentication or are not from trusted domains.

MITRE ATT&CK

T1566.001 T1204.002 T1486 T1566 T1566.002 T1598 T1036 T1027

defense-evasioninitial-access

Detection Query

type.inbound
and any(body.links, .href_url.domain.tld == "onion")
and not profile.by_sender_email().solicited
// and the sender is not from high trust sender root domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Tags

Attack surface reduction

Raw Content

name: "Link: .onion From Unsolicited Sender"
description: "Detects messages containing .onion (Tor network) links from unsolicited senders that either lack proper DMARC authentication or are not from trusted domains."
type: "rule"
severity: "low"
source: |
  type.inbound
  and any(body.links, .href_url.domain.tld == "onion")
  and not profile.by_sender_email().solicited
  // and the sender is not from high trust sender root domains
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
tags:
 - "Attack surface reduction"
attack_types:
  - "Malware/Ransomware"
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Social engineering"
detection_methods:
  - "URL analysis"
  - "Header analysis"
  - "Sender analysis"
id: "9ac0fc83-4c18-5a62-83e0-8fd0af9cffe0"