← Back to Explore
sublimemediumRule
URLhaus: Malicious domain in message body or pdf attachment (trusted reporters)
Detects URLhaus domains submitted by trusted reporters in message bodies or pdf attachments
Detection Query
type.inbound
and (
any(body.links,
// filter potentially known good domains
// prevents FPs on entries such as drive[.]google[.]com, or
// other accidental pushes to the List
.href_url.domain.domain not in $free_file_hosts
and .href_url.domain.root_domain not in $free_file_hosts
and .href_url.domain.domain not in $tranco_1m
and .href_url.domain.domain not in $umbrella_1m
// this ensures we don't flag on legit FQDNs that
// aren't in the Tranco 1M, but their root domains are
// eg: support[.]google[.]com
and .href_url.domain.root_domain not in $tranco_1m
and .href_url.domain.root_domain not in $umbrella_1m
and .href_url.domain.root_domain not in $free_subdomain_hosts
and .href_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
)
or any(attachments,
.file_type == "pdf"
and any(file.explode(.),
any(.scan.pdf.urls,
// filter potentially known good domains
// prevents FPs on entries such as drive[.]google[.]com, or
// other accidental pushes to the List
.domain.domain not in $free_file_hosts
and .domain.root_domain not in $free_file_hosts
and .domain.domain not in $free_subdomain_hosts
and .domain.domain not in $tranco_1m
and .domain.domain not in $umbrella_1m
// this ensures we don't flag on legit FQDNs that
// aren't in the Tranco 1M, but their root domains are
// eg: support[.]google[.]com
and .domain.root_domain not in $tranco_1m
and .domain.root_domain not in $umbrella_1m
and .domain.domain in $abuse_ch_urlhaus_domains_trusted_reporters
)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Abusech: URLhaus
Raw Content
name: "URLhaus: Malicious domain in message body or pdf attachment (trusted reporters)"
description: "Detects URLhaus domains submitted by trusted reporters in message bodies or pdf attachments"
type: "rule"
severity: "medium"
source: |
type.inbound
and (
any(body.links,
// filter potentially known good domains
// prevents FPs on entries such as drive[.]google[.]com, or
// other accidental pushes to the List
.href_url.domain.domain not in $free_file_hosts
and .href_url.domain.root_domain not in $free_file_hosts
and .href_url.domain.domain not in $tranco_1m
and .href_url.domain.domain not in $umbrella_1m
// this ensures we don't flag on legit FQDNs that
// aren't in the Tranco 1M, but their root domains are
// eg: support[.]google[.]com
and .href_url.domain.root_domain not in $tranco_1m
and .href_url.domain.root_domain not in $umbrella_1m
and .href_url.domain.root_domain not in $free_subdomain_hosts
and .href_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
)
or any(attachments,
.file_type == "pdf"
and any(file.explode(.),
any(.scan.pdf.urls,
// filter potentially known good domains
// prevents FPs on entries such as drive[.]google[.]com, or
// other accidental pushes to the List
.domain.domain not in $free_file_hosts
and .domain.root_domain not in $free_file_hosts
and .domain.domain not in $free_subdomain_hosts
and .domain.domain not in $tranco_1m
and .domain.domain not in $umbrella_1m
// this ensures we don't flag on legit FQDNs that
// aren't in the Tranco 1M, but their root domains are
// eg: support[.]google[.]com
and .domain.root_domain not in $tranco_1m
and .domain.root_domain not in $umbrella_1m
and .domain.domain in $abuse_ch_urlhaus_domains_trusted_reporters
)
)
)
)
tags:
- "Abusech: URLhaus"
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "PDF"
detection_methods:
- "File analysis"
- "Threat intelligence"
- "URL analysis"
id: "cfca2986-0daa-582c-a379-fb0a31329847"