sublimemediumRule

Link: Apple App Store malicious ad manager themed apps from free email provider

Detects messages containing Apple App Store links with sent from free email providers, indicating potential abuse of legitimate Apple services hosting malicious ad manager themed applications.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1534 T1656 T1204.002 T1486 T1036 T1027

initial-accessdefense-evasion

Detection Query

type.inbound
and any(body.current_thread.links,
        .href_url.domain.domain in ('apps.apple.com')
        and regex.icount(.href_url.path,
                         '[/-](?:suite|ads?|manager?|campaigns?)'
        ) >= 2
)
and sender.email.domain.domain in $free_email_providers

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Link: Apple App Store malicious ad manager themed apps from free email provider"
description: "Detects messages containing Apple App Store links with sent from free email providers, indicating potential abuse of legitimate Apple services hosting malicious ad manager themed applications."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(body.current_thread.links,
          .href_url.domain.domain in ('apps.apple.com')
          and regex.icount(.href_url.path,
                           '[/-](?:suite|ads?|manager?|campaigns?)'
          ) >= 2
  )
  and sender.email.domain.domain in $free_email_providers
attack_types:
  - "Credential Phishing"
  - "BEC/Fraud"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Free email provider"
  - "Social engineering"
  - "Evasion"
detection_methods:
  - "Content analysis"
  - "Sender analysis"
  - "URL analysis"
id: "9ce402c6-fa1a-5b6c-b45c-37dc7d52f65d"