Link: Commonly Abused Web Service redirecting to ZIP file

name: "Link: Commonly Abused Web Service redirecting to ZIP file"
description: "Detects messages containing links from URL shorteners, free file hosts, or suspicious domains that redirect to ZIP file downloads, potentially indicating malware distribution."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and 0 < length(body.links) < 15
  and length(recipients.to) == 1
  and recipients.to[0].email.domain.valid
  and any(body.links,
          (
            // root domain is commonly abused
            .href_url.domain.root_domain in $url_shorteners
            or .href_url.domain.root_domain in $free_file_hosts
            or .href_url.domain.root_domain in $free_subdomain_hosts
            or .href_url.domain.root_domain in $self_service_creation_platform_domains
            or .href_url.domain.tld in $suspicious_tlds
            // or somewhat recently reg'd domain
            or network.whois(.href_url.domain).days_old < 30
          )
          // we DONT want the original link to end in zip
          and not strings.iends_with(.href_url.url, '.zip')
          // we DO want the effective (redirected) url to end in zip
          and strings.iends_with(ml.link_analysis(.).effective_url.url, '.zip')
  )

attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Free file host"
  - "Free subdomain host"
  - "Open redirect"
  - "Evasion"
detection_methods:
  - "URL analysis"
  - "Whois"
  - "Archive analysis"
id: "a1132f52-101c-5675-baa2-fc14c49a2315"