← Back to Explore
sublimelowRule
Cutt.ly hosting link
The message contains a Cutt.ly link, which can be used to host malicious content.
Detection Query
type.inbound
and not sender.email.domain.root_domain in $alexa_1m
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
)
)
and any(body.links, .href_url.domain.root_domain == 'cutt.ly')
Author
ajpc500
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Suspicious link
Raw Content
name: "Cutt.ly hosting link"
description: |
The message contains a Cutt.ly link, which can be used to host malicious content.
type: "rule"
severity: "low"
authors:
- twitter: "ajpc500"
source: |
type.inbound
and not sender.email.domain.root_domain in $alexa_1m
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
)
)
and any(body.links, .href_url.domain.root_domain == 'cutt.ly')
tags:
- "Suspicious link"