sublimemediumRule

Link: Suspicious Loom HTML file path

Detects inbound messages containing links to Loom HTML files, which may be used to deliver malicious content or bypass security controls through the legitimate Loom platform.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1598.003

initial-access

Detection Query

type.inbound
and any(body.current_thread.links,
        regex.imatch(.href_url.path, '/loom/[^\/]+\.html')
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Link: Suspicious Loom HTML file path"
description: "Detects inbound messages containing links to Loom HTML files, which may be used to deliver malicious content or bypass security controls through the legitimate Loom platform."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(body.current_thread.links,
          regex.imatch(.href_url.path, '/loom/[^\/]+\.html')
  )

attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "HTML analysis"
  - "URL analysis"
id: "bd27e7ec-1e77-5134-a572-32d642058aa5"