← Back to Explore
sublimemediumRule
Link: Free file hosting with undisclosed recipients
Detects messages containing links to free file hosting or subdomain services that are sent to undisclosed recipients or only CC/BCC recipients. The rule identifies suspicious distribution patterns where legitimate recipients are hidden, potentially indicating mass distribution of malicious content through file sharing platforms.
Detection Query
type.inbound
// no previous threads
and (
length(body.previous_threads) == 0
// If there is a previous thread, it is unrelated to current thread
or any(body.previous_threads, .sender.email.email != mailbox.email.email)
)
// few links that aren't "social" links
and 0 < length(filter(body.current_thread.links,
.href_url.domain.root_domain not in (
'x.com',
'facebook.com',
'twitter.com',
'instagram.com',
'youtube.com',
'linkedin.com'
)
)
) < 10
// undisclosed recipients or all recipients cc'd
and (
any(recipients.to, strings.ilike(.display_name, "undisclosed?recipients"))
or (length(recipients.cc) > 0 and length(recipients.to) == 0)
or (length(recipients.bcc) > 0 and length(recipients.to) == 0)
or (
length(recipients.to) == 1
and length(recipients.cc) == 0
and length(recipients.bcc) == 0
and all(recipients.to, .email.email == sender.email.email)
and all(recipients.to, .email.email != mailbox.email.email)
)
)
// links to free file hosts or free subdomain hosts
and any(body.current_thread.links,
(
.href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
)
and .visible
and not (
.href_url.domain.root_domain == "googleusercontent.com"
and strings.istarts_with(.href_url.path, "/mail-sig")
)
and not .href_url.domain.domain in $tenant_domains
)
// negate listmailers & benign threads
and not (
any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "benign" and .confidence == "high"
)
)
and not (
(
sender.email.domain.root_domain in ("twilio.com", "zendesk.com")
or headers.return_path.domain.root_domain in ("twilio.com", "zendesk.com")
)
and coalesce(headers.auth_summary.dmarc.pass, false)
)
// unsolicited and passing auth, or failing/missing dmarc
and (
(
coalesce(headers.auth_summary.dmarc.pass, false)
and not profile.by_sender().solicited
)
or profile.by_sender_email().days_since.last_inbound > 365
or (not coalesce(headers.auth_summary.dmarc.pass, false))
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Free file hosting with undisclosed recipients"
description: "Detects messages containing links to free file hosting or subdomain services that are sent to undisclosed recipients or only CC/BCC recipients. The rule identifies suspicious distribution patterns where legitimate recipients are hidden, potentially indicating mass distribution of malicious content through file sharing platforms."
type: "rule"
severity: "medium"
source: |
type.inbound
// no previous threads
and (
length(body.previous_threads) == 0
// If there is a previous thread, it is unrelated to current thread
or any(body.previous_threads, .sender.email.email != mailbox.email.email)
)
// few links that aren't "social" links
and 0 < length(filter(body.current_thread.links,
.href_url.domain.root_domain not in (
'x.com',
'facebook.com',
'twitter.com',
'instagram.com',
'youtube.com',
'linkedin.com'
)
)
) < 10
// undisclosed recipients or all recipients cc'd
and (
any(recipients.to, strings.ilike(.display_name, "undisclosed?recipients"))
or (length(recipients.cc) > 0 and length(recipients.to) == 0)
or (length(recipients.bcc) > 0 and length(recipients.to) == 0)
or (
length(recipients.to) == 1
and length(recipients.cc) == 0
and length(recipients.bcc) == 0
and all(recipients.to, .email.email == sender.email.email)
and all(recipients.to, .email.email != mailbox.email.email)
)
)
// links to free file hosts or free subdomain hosts
and any(body.current_thread.links,
(
.href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
)
and .visible
and not (
.href_url.domain.root_domain == "googleusercontent.com"
and strings.istarts_with(.href_url.path, "/mail-sig")
)
and not .href_url.domain.domain in $tenant_domains
)
// negate listmailers & benign threads
and not (
any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "benign" and .confidence == "high"
)
)
and not (
(
sender.email.domain.root_domain in ("twilio.com", "zendesk.com")
or headers.return_path.domain.root_domain in ("twilio.com", "zendesk.com")
)
and coalesce(headers.auth_summary.dmarc.pass, false)
)
// unsolicited and passing auth, or failing/missing dmarc
and (
(
coalesce(headers.auth_summary.dmarc.pass, false)
and not profile.by_sender().solicited
)
or profile.by_sender_email().days_since.last_inbound > 365
or (not coalesce(headers.auth_summary.dmarc.pass, false))
)
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Free file host"
- "Free subdomain host"
- "Evasion"
detection_methods:
- "Header analysis"
- "URL analysis"
- "Sender analysis"
- "Natural Language Understanding"
id: "b6281306-bf26-58e2-8445-0ef8d05d9820"