EXPLORE
Sign In
← Back to Explore
sublimeRule

Attachment with URL shortener (unsolicited)

Recursively scans files and archives to detect links to URL shorteners.

Detection Query

type.inbound
and any(attachments,
        .file_extension in~ ("pdf")
        and any(file.explode(.), any(.scan.url.urls, .domain.root_domain in $url_shorteners))
)
and (
  (
    sender.email.domain.root_domain in $free_email_providers
    and sender.email.email not in $recipient_emails
  )
  or (
    sender.email.domain.root_domain not in $free_email_providers
    and sender.email.domain.domain not in $recipient_domains
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Suspicious attachmentURL shortener
Raw Content
name: "Attachment with URL shortener (unsolicited)"
description: |
  Recursively scans files and archives to detect links to URL shorteners.
type: "rule"
source: |
  type.inbound
  and any(attachments,
          .file_extension in~ ("pdf")
          and any(file.explode(.), any(.scan.url.urls, .domain.root_domain in $url_shorteners))
  )
  and (
    (
      sender.email.domain.root_domain in $free_email_providers
      and sender.email.email not in $recipient_emails
    )
    or (
      sender.email.domain.root_domain not in $free_email_providers
      and sender.email.domain.domain not in $recipient_domains
    )
  )
tags:
  - "Suspicious attachment"
  - "URL shortener"