← Back to Explore
sublimemediumRule
Attachment: RTF file with suspicious link
This rule detects RTF attachments directly attached or within an archive, containing an external link to a suspicious low reputation domain.
Detection Query
type.inbound
and any(attachments,
(
.file_extension in~ $file_extensions_common_archives
or .file_type == "rtf"
)
and any(file.explode(.),
.flavors.mime == 'text/rtf'
and any(.scan.url.urls,
.domain.valid
and .domain.subdomain is not null
and not (
strings.ends_with(.url, "jpeg")
or strings.ends_with(.url, "png")
)
and (
(
.domain.root_domain not in $tranco_1m
and .domain.root_domain not in $umbrella_1m
)
or (
.domain.root_domain in $free_file_hosts
or .domain.root_domain in $free_file_hosts
or .domain.root_domain in $free_subdomain_hosts
or .domain.root_domain in $url_shorteners
or .domain.root_domain in $social_landing_hosts
)
// or the url contains the recipient email and the root_domain is not in tranco
or (
any(recipients.to,
strings.icontains(..url, .email.email)
)
and (
.domain.root_domain not in $tranco_1m
and .domain.root_domain not in $umbrella_1m
)
)
)
)
)
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: RTF file with suspicious link"
description: "This rule detects RTF attachments directly attached or within an archive, containing an external link to a suspicious low reputation domain."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(attachments,
(
.file_extension in~ $file_extensions_common_archives
or .file_type == "rtf"
)
and any(file.explode(.),
.flavors.mime == 'text/rtf'
and any(.scan.url.urls,
.domain.valid
and .domain.subdomain is not null
and not (
strings.ends_with(.url, "jpeg")
or strings.ends_with(.url, "png")
)
and (
(
.domain.root_domain not in $tranco_1m
and .domain.root_domain not in $umbrella_1m
)
or (
.domain.root_domain in $free_file_hosts
or .domain.root_domain in $free_file_hosts
or .domain.root_domain in $free_subdomain_hosts
or .domain.root_domain in $url_shorteners
or .domain.root_domain in $social_landing_hosts
)
// or the url contains the recipient email and the root_domain is not in tranco
or (
any(recipients.to,
strings.icontains(..url, .email.email)
)
and (
.domain.root_domain not in $tranco_1m
and .domain.root_domain not in $umbrella_1m
)
)
)
)
)
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "Archive analysis"
- "File analysis"
- "Sender analysis"
- "URL analysis"
id: "c848f9aa-6e2e-55ea-857e-9d040b22544f"