EXPLORE
Sign In
← Back to Explore
sublimelowRule

Spam: URL shortener with short body content and emojis

Detects spam from freemail senders, where the majority of the body is a URL shortener and emojis.

MITRE ATT&CK

T1566

Detection Query

type.inbound

// sender is a freemail
and sender.email.domain.root_domain in $free_email_providers

// has a URL shortener
and any(body.links,
        .href_url.domain.root_domain in $url_shorteners
        or .href_url.domain.root_domain in $social_landing_hosts
)

// short body, basically just the URL
and length(body.plain.raw) < 100

// has an emoji in the subject or body
and (
  regex.contains(body.plain.raw,
                 '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
  )
  or regex.contains(subject.subject,
                    '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
  )
)
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Spam: URL shortener with short body content and emojis"
description: |
  Detects spam from freemail senders, where the majority of the body is a URL shortener and emojis.
type: "rule"
severity: "low"
source: |
  type.inbound
  
  // sender is a freemail
  and sender.email.domain.root_domain in $free_email_providers
  
  // has a URL shortener
  and any(body.links,
          .href_url.domain.root_domain in $url_shorteners
          or .href_url.domain.root_domain in $social_landing_hosts
  )
  
  // short body, basically just the URL
  and length(body.plain.raw) < 100
  
  // has an emoji in the subject or body
  and (
    regex.contains(body.plain.raw,
                   '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
    )
    or regex.contains(subject.subject,
                      '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
    )
  )
  and (
    profile.by_sender().prevalence in ("new", "outlier")
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
attack_types:
  - "Spam"
tactics_and_techniques:
  - "Free email provider"
detection_methods:
  - "Content analysis"
  - "Sender analysis"
  - "URL analysis"
id: "b7797e4c-f2d7-5330-8a16-7123fe9bb6a8"