← Back to Explore
sublimemediumRule
Attachment: Small text file with link containing recipient email address
Attach text file is less than 1000 bytes and contains a recipients email address. Seen in the wild carrying credential phishing links.
Detection Query
type.inbound
and any(attachments,
.content_type in~ ("text/plain", "text")
// negate calendar invites
and not (
.file_extension == "ics"
or .content_type in ("application/ics", "text/calendar")
)
and any(file.explode(.),
.size < 1000
and any(.scan.url.urls,
any(recipients.to,
strings.icontains(..url, .email.email)
and .email.domain.valid
)
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Attachment: Small text file with link containing recipient email address"
description: "Attach text file is less than 1000 bytes and contains a recipients email address. Seen in the wild carrying credential phishing links."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(attachments,
.content_type in~ ("text/plain", "text")
// negate calendar invites
and not (
.file_extension == "ics"
or .content_type in ("application/ics", "text/calendar")
)
and any(file.explode(.),
.size < 1000
and any(.scan.url.urls,
any(recipients.to,
strings.icontains(..url, .email.email)
and .email.domain.valid
)
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
tags:
- "Attack surface reduction"
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "File analysis"
- "URL analysis"
id: "c0472c9d-1e06-5177-90b1-f57620944ff5"