sublimemediumRule

Notion suspicious file share

Message contains a notion link that contains suspicious terms. You may need to deactivate or fork this rule if your organization uses Notion.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1204.002 T1486 T1036 T1027

defense-evasion

Detection Query

type.inbound
and any(body.links,
        .href_url.domain.root_domain in~ ("notion.so", "notion.site")
        and (
          strings.ilike(.href_url.url,
                        '*shared*',
                        '*document*',
                        '*secure*',
                        '*office*',
                        '*important*',
                        '*wants-to*',
                        '*share*',
                        '*statement*'
          )
          or strings.ilike(.display_url.url,
                           '*shared*',
                           '*document*',
                           '*secure*',
                           '*office*',
                           '*important*',
                           '*wants-to*',
                           '*share*',
                           '*statement*'
          )
          or strings.ilike(.display_text,
                           '*shared*',
                           '*document*',
                           '*secure*',
                           '*office*',
                           '*important*',
                           '*wants-to*',
                           '*share*',
                           '*statement*'
          )
        )
)
and sender.email.domain.domain != 'mail.notion.so'
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Tags

Attack surface reduction

Raw Content

name: "Notion suspicious file share"
description: |
  Message contains a notion link that contains suspicious terms. You 
  may need to deactivate or fork this rule if your organization uses 
  Notion.
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(body.links,
          .href_url.domain.root_domain in~ ("notion.so", "notion.site")
          and (
            strings.ilike(.href_url.url,
                          '*shared*',
                          '*document*',
                          '*secure*',
                          '*office*',
                          '*important*',
                          '*wants-to*',
                          '*share*',
                          '*statement*'
            )
            or strings.ilike(.display_url.url,
                             '*shared*',
                             '*document*',
                             '*secure*',
                             '*office*',
                             '*important*',
                             '*wants-to*',
                             '*share*',
                             '*statement*'
            )
            or strings.ilike(.display_text,
                             '*shared*',
                             '*document*',
                             '*secure*',
                             '*office*',
                             '*important*',
                             '*wants-to*',
                             '*share*',
                             '*statement*'
            )
          )
  )
  and sender.email.domain.domain != 'mail.notion.so'
  and (
    profile.by_sender().prevalence in ("new", "outlier")
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
tags:
  - "Attack surface reduction"
attack_types:
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
  - "Free file host"
detection_methods:
  - "Content analysis"
  - "Sender analysis"
  - "URL analysis"
id: "f7307929-bbfd-58b6-81e4-afff7610cff2"