← Back to Explore
sublimeRule
Attachment with free subdomain host URL (unsolicited)
Recursively scans files and archives to detect links to free subdomain hosts. Free subdomain hosts are commonly used to host credential phishing sites.
Detection Query
type.inbound
and any(attachments,
.file_extension in~ ("pdf")
and any(file.explode(.),
any(.scan.url.urls,
.domain.root_domain in $free_subdomain_hosts
and .domain.subdomain is not null
and .domain.subdomain != "www"
and .domain.domain != "sts.amazonaws.com"
and .domain.root_domain != "zendesk.com"
)
)
)
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Suspicious attachmentSuspicious link
Raw Content
name: "Attachment with free subdomain host URL (unsolicited)"
description: |
Recursively scans files and archives to detect links to free subdomain hosts.
Free subdomain hosts are commonly used to host credential phishing sites.
type: "rule"
source: |
type.inbound
and any(attachments,
.file_extension in~ ("pdf")
and any(file.explode(.),
any(.scan.url.urls,
.domain.root_domain in $free_subdomain_hosts
and .domain.subdomain is not null
and .domain.subdomain != "www"
and .domain.domain != "sts.amazonaws.com"
and .domain.root_domain != "zendesk.com"
)
)
)
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
)
)
tags:
- "Suspicious attachment"
- "Suspicious link"