← Back to Explore
sublimemediumRule
Catbox.moe link from untrusted source
Detects messages containing links to catbox.moe file hosting service from senders who either aren't in highly trusted domains or failed DMARC authentication
Detection Query
type.inbound
and any(body.links,
.href_url.domain.root_domain == "catbox.moe"
and not strings.iends_with(.href_url.path, ".json")
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not coalesce(headers.auth_summary.dmarc.pass, false)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Catbox.moe link from untrusted source"
description: "Detects messages containing links to catbox.moe file hosting service from senders who either aren't in highly trusted domains or failed DMARC authentication"
type: "rule"
severity: "medium"
source: |
type.inbound
and any(body.links,
.href_url.domain.root_domain == "catbox.moe"
and not strings.iends_with(.href_url.path, ".json")
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not coalesce(headers.auth_summary.dmarc.pass, false)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
tags:
- "Attack surface reduction"
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Free file host"
- "Social engineering"
detection_methods:
- "Header analysis"
- "Sender analysis"
- "URL analysis"
id: "d6041a8b-55a9-5016-b214-ba021f4eba64"