← Back to Explore
sublimehighRule
Service abuse: Vimeo with external plain-text links in message
Detects messages absuing Vimeo notifications about received messages that contain plain-text links redirecting to domains other than Vimeo, potentially leading users to malicious websites.
Detection Query
type.inbound
and sender.email.domain.domain == 'vimeo.com'
and strings.ends_with(subject.base, 'sent you a message on Vimeo')
and (
// plain-text url that does not go to vimeo
any(filter(body.current_thread.links, .parser == "plain"),
.display_url.domain.root_domain != 'vimeo.com'
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Service abuse: Vimeo with external plain-text links in message"
description: "Detects messages absuing Vimeo notifications about received messages that contain plain-text links redirecting to domains other than Vimeo, potentially leading users to malicious websites."
type: "rule"
severity: "high"
source: |
type.inbound
and sender.email.domain.domain == 'vimeo.com'
and strings.ends_with(subject.base, 'sent you a message on Vimeo')
and (
// plain-text url that does not go to vimeo
any(filter(body.current_thread.links, .parser == "plain"),
.display_url.domain.root_domain != 'vimeo.com'
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Sender analysis"
- "Content analysis"
- "URL analysis"
id: "ba94ae6b-d554-55ef-a039-ad1d73b84ed0"