sublimemediumRule

Mass Outbound Group With Free File Host Domain

Detects when a sender contacts multiple unique domains and includes links to known free file hosting services.

MITRE ATT&CK

T1566.002 T1534 T1656 T1566.001 T1204.002 T1486 T1566 T1598

initial-access

Detection Query

type.outbound
and 1 of (
  length(distinct(recipients.to, .email.domain.root_domain)) > 10,
  length(distinct(recipients.cc, .email.domain.root_domain)) > 10,
  length(distinct(recipients.bcc, .email.domain.root_domain)) > 10
)
and any(body.links, .href_url.domain.domain in $free_file_hosts)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Mass Outbound Group With Free File Host Domain"
description: "Detects when a sender contacts multiple unique domains and includes links to known free file hosting services."
type: "rule"
severity: "medium"
source: |
  type.outbound
  and 1 of (
    length(distinct(recipients.to, .email.domain.root_domain)) > 10,
    length(distinct(recipients.cc, .email.domain.root_domain)) > 10,
    length(distinct(recipients.bcc, .email.domain.root_domain)) > 10
  )
  and any(body.links, .href_url.domain.domain in $free_file_hosts)

attack_types:
  - "BEC/Fraud"
  - "Malware/Ransomware"
  - "Spam"
tactics_and_techniques:
  - "Free file host"
  - "Social engineering"
detection_methods:
  - "Header analysis"
  - "Content analysis"
  - "URL analysis"
  - "Sender analysis"