File sharing link with a suspicious subject

name: "File sharing link with a suspicious subject"
description: |
  A file sharing link in the body with a common BEC subject. This rule could be expanded to 
  include additional BEC subjects.
type: "rule"
severity: "medium"
source: |
  type.inbound
  and sender.email.domain.root_domain != 'google.com'
  and not (
    sender.email.domain.root_domain == "dropbox.com"
    and headers.auth_summary.dmarc.pass
  )
  and any(body.links,
          (
            .href_url.domain.domain in $free_file_hosts
            or .href_url.domain.root_domain in $free_file_hosts
          )
          and not (
            // negating Google Forms links
            .href_url.domain.domain == "docs.google.com"
            and strings.istarts_with(.href_url.path, "/forms/")
          )
          and not .href_url.domain.domain in $tenant_domains
  )
  and regex.icontains(subject.subject, 'immediately', 'urgent')
  and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
  and (
    not profile.by_sender().solicited
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Free file host"
  - "Social engineering"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
  - "URL analysis"
id: "a306e2a6-addc-5e26-9be1-c146f37fd7f2"