EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Link: File sharing impersonation with suspicious language and sending patterns

Detects messages containing file sharing and cloud services topics combined with BEC or credential theft language, featuring links with document-related display text that lead to low-reputation domains outside the sender's domain and organization.

MITRE ATT&CK

T1566.002T1534T1656T1566T1566.001T1598T1598.003
initial-access

Detection Query

type.inbound
and any(ml.nlu_classifier(body.current_thread.text).topics,
        .name == "File Sharing and Cloud Services" and .confidence != "low"
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name in ("bec", "cred_theft") and .confidence != "low"
)
and any(body.links,
        regex.icontains(.display_text, "document", "download")
        and .href_url.domain.root_domain != sender.email.domain.root_domain
        and .href_url.domain.root_domain not in $tranco_1m
        and .href_url.domain.root_domain not in $org_domains
        and .href_url.domain.valid

        // Exclude legitimate document services
        and not .href_url.domain.root_domain in $free_file_hosts
)
// suspicious sending/recipient pattern
and 1 of (
  (
    length(recipients.to) == 1
    and recipients.to[0].email.email == sender.email.email
  ),
  any(headers.reply_to,
      .email.domain.domain in $free_email_providers
      and .email.domain.domain != sender.email.domain.domain
  ),
  (
    length(recipients.to) == 1
    and length(recipients.cc) == 1
    and recipients.to[0].email.email == recipients.cc[0].email.email
  ),
  (
    strings.icontains(headers.return_path.local_part, "+SRS=")
    or strings.icontains(headers.auth_summary.spf.details.designator, "+SRS=")
    or any(headers.hops,
           strings.icontains(.authentication_results.spf_details.designator,
                             '+SRS='
           )
    )
  ),
  // No recipients visible
  (
    length(recipients.to) == 0
    or all(recipients.to,
           .display_name in ("Undisclosed recipients", "undisclosed-recipients")
    )
  )
  and length(recipients.cc) == 0
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Link: File sharing impersonation with suspicious language and sending patterns"
description: "Detects messages containing file sharing and cloud services topics combined with BEC or credential theft language, featuring links with document-related display text that lead to low-reputation domains outside the sender's domain and organization."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(ml.nlu_classifier(body.current_thread.text).topics,
          .name == "File Sharing and Cloud Services" and .confidence != "low"
  )
  and any(ml.nlu_classifier(body.current_thread.text).intents,
          .name in ("bec", "cred_theft") and .confidence != "low"
  )
  and any(body.links,
          regex.icontains(.display_text, "document", "download")
          and .href_url.domain.root_domain != sender.email.domain.root_domain
          and .href_url.domain.root_domain not in $tranco_1m
          and .href_url.domain.root_domain not in $org_domains
          and .href_url.domain.valid
  
          // Exclude legitimate document services
          and not .href_url.domain.root_domain in $free_file_hosts
  )
  // suspicious sending/recipient pattern
  and 1 of (
    (
      length(recipients.to) == 1
      and recipients.to[0].email.email == sender.email.email
    ),
    any(headers.reply_to,
        .email.domain.domain in $free_email_providers
        and .email.domain.domain != sender.email.domain.domain
    ),
    (
      length(recipients.to) == 1
      and length(recipients.cc) == 1
      and recipients.to[0].email.email == recipients.cc[0].email.email
    ),
    (
      strings.icontains(headers.return_path.local_part, "+SRS=")
      or strings.icontains(headers.auth_summary.spf.details.designator, "+SRS=")
      or any(headers.hops,
             strings.icontains(.authentication_results.spf_details.designator,
                               '+SRS='
             )
      )
    ),
    // No recipients visible
    (
      length(recipients.to) == 0
      or all(recipients.to,
             .display_name in ("Undisclosed recipients", "undisclosed-recipients")
      )
    )
    and length(recipients.cc) == 0
  )
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )

attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
tactics_and_techniques:
  - "Social engineering"
  - "Free subdomain host"
  - "Impersonation: Brand"
detection_methods:
  - "Natural Language Understanding"
  - "URL analysis"
  - "Sender analysis"
  - "Header analysis"
  - "Content analysis"
id: "d3363041-f38d-538c-8633-29d7d6f80ca7"