← Back to Explore
sublimemediumRule
Service abuse: SendThisFile with credential theft and financial language
Detects messages from sendthisfile.com containing credential theft language combined with financial communications topics.
Detection Query
type.inbound
and sender.email.domain.root_domain == "sendthisfile.com"
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Financial Communications" and .confidence != "low"
)
// not a reply or forward
and (headers.in_reply_to is null or length(headers.references) == 0)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Service abuse: SendThisFile with credential theft and financial language"
description: "Detects messages from sendthisfile.com containing credential theft language combined with financial communications topics."
type: "rule"
severity: "medium"
source: |
type.inbound
and sender.email.domain.root_domain == "sendthisfile.com"
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Financial Communications" and .confidence != "low"
)
// not a reply or forward
and (headers.in_reply_to is null or length(headers.references) == 0)
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
tactics_and_techniques:
- "Free file host"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Natural Language Understanding"
- "Sender analysis"
id: "c1ebf25b-0707-504f-b041-e7c27dfa9f05"