Link: Apple TestFlight from suspicious sender

name: "Link: Apple TestFlight from suspicious sender"
description: "Detects messages containing Apple TestFlight links from free email providers or suspicious senders with no prior benign communication history."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(body.links,
          .href_url.domain.domain in ('testflight.apple.com')
          or (
            .href_url.domain.root_domain == "mimecastprotect.com"
            and any(.href_url.query_params_decoded['domain'],
                    . in ("testflight.apple.com")
            )
          )
  )
  and not (
    (subject.is_forward or subject.is_reply)
    and (length(headers.references) != 0 or headers.in_reply_to is not null)
    and length(body.previous_threads) > 0
  )
  and (
    sender.email.domain.domain in $free_email_providers
    or beta.profile.by_reply_to().solicited == false
    or (
      beta.profile.by_reply_to().any_messages_malicious_or_spam
      and not beta.profile.by_reply_to().any_messages_benign
    )
  )

tags:
 - "Attack surface reduction"
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Free email provider"
  - "Evasion"
detection_methods:
  - "Sender analysis"
  - "URL analysis"
id: "9b447f1f-4091-517d-a2b8-2a869aa46301"