← Back to Explore
sublimemediumRule
Link: Scribd fullscreen link from suspicious sender
Detects messages containing Scribd links with the fullscreen parameter from senders with no prior benign communication or recent history.
Detection Query
type.inbound
and length(body.links) < 10
and any(body.links,
(
.href_url.domain.root_domain == "scribd.com"
or strings.icontains(.href_url.query_params, 'scribd.com')
or strings.icontains(.href_url.query_params, 'scribd%2ecom')
or strings.icontains(.href_url.query_params, 'scribd%252ecom')
)
and strings.icontains(.href_url.fragment, 'fullscreen')
)
and not profile.by_sender_email().any_messages_benign
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Link: Scribd fullscreen link from suspicious sender"
description: "Detects messages containing Scribd links with the fullscreen parameter from senders with no prior benign communication or recent history."
type: "rule"
severity: "medium"
source: |
type.inbound
and length(body.links) < 10
and any(body.links,
(
.href_url.domain.root_domain == "scribd.com"
or strings.icontains(.href_url.query_params, 'scribd.com')
or strings.icontains(.href_url.query_params, 'scribd%2ecom')
or strings.icontains(.href_url.query_params, 'scribd%252ecom')
)
and strings.icontains(.href_url.fragment, 'fullscreen')
)
and not profile.by_sender_email().any_messages_benign
tags:
- "Attack surface reduction"
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Free file host"
- "Social engineering"
- "Evasion"
detection_methods:
- "URL analysis"
- "Sender analysis"
id: "9e9bc972-d4e1-5bd0-96bc-b8b10e74b02a"