← Back to Explore
sublimehighRule
Image as content with a link to an open redirect (unsolicited)
Body contains little, no, or only disclaimer text, an image, and a link to an open redirect.
Detection Query
type.inbound
and length(body.links) < 3
and 0 < (length(attachments)) < 3
and all(attachments, (.file_type in $file_types_images))
and all(attachments, (.size > 10000))
// image is in body
and strings.icontains(body.html.raw, 'src="cid')
// sender domain matches no body domains
and all(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
)
and (
// body text is very short
(
0 <= (length(body.current_thread.text)) < 10
or body.current_thread.text is null
)
or (
length(body.current_thread.text) < 900
// or body is most likely all warning banner (text contains the sender and common warning banner language)
and (
(
strings.contains(body.current_thread.text, sender.email.email)
and strings.contains(body.current_thread.text, 'caution')
)
or regex.icontains(body.current_thread.text,
"intended recipient's use only|external email|sent from outside|you don't often|confidential"
)
)
)
)
and (
any(body.links,
any(.href_url.rewrite.encoders, strings.icontains(., "open_redirect"))
and .href_url.domain.root_domain not in $high_trust_sender_root_domains
)
or any(body.links,
.href_url.domain.root_domain == 'sng.link'
and strings.ilike(.href_url.query_params, "*fallback_redirect*")
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().prevalence == "common"
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Image as content with a link to an open redirect (unsolicited)"
description: "Body contains little, no, or only disclaimer text, an image, and a link to an open redirect."
type: "rule"
severity: "high"
source: |
type.inbound
and length(body.links) < 3
and 0 < (length(attachments)) < 3
and all(attachments, (.file_type in $file_types_images))
and all(attachments, (.size > 10000))
// image is in body
and strings.icontains(body.html.raw, 'src="cid')
// sender domain matches no body domains
and all(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
)
and (
// body text is very short
(
0 <= (length(body.current_thread.text)) < 10
or body.current_thread.text is null
)
or (
length(body.current_thread.text) < 900
// or body is most likely all warning banner (text contains the sender and common warning banner language)
and (
(
strings.contains(body.current_thread.text, sender.email.email)
and strings.contains(body.current_thread.text, 'caution')
)
or regex.icontains(body.current_thread.text,
"intended recipient's use only|external email|sent from outside|you don't often|confidential"
)
)
)
)
and (
any(body.links,
any(.href_url.rewrite.encoders, strings.icontains(., "open_redirect"))
and .href_url.domain.root_domain not in $high_trust_sender_root_domains
)
or any(body.links,
.href_url.domain.root_domain == 'sng.link'
and strings.ilike(.href_url.query_params, "*fallback_redirect*")
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().prevalence == "common"
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "Image as content"
- "Open redirect"
- "Social engineering"
detection_methods:
- "Content analysis"
- "HTML analysis"
- "URL analysis"
id: "f5cec36b-76ea-5cd6-958b-74f819d73a47"