[PR #3409] added rule: Link: Office document hosted on suspicious file sharing service

github-actions[bot] · github-actions[bot] · commit 5b183add6526 · 2025-10-15T21:17:40.000Z
diff --git a/detection-rules/3409_credential_phishing_office_document_suspicious_file_sharing_service.yml b/detection-rules/3409_credential_phishing_office_document_suspicious_file_sharing_service.yml
@@ -0,0 +1,62 @@
+name: "Link: Office document hosted on suspicious file sharing service"
+description: "Detects messages containing links with office document file extensions in the display text that are hosted on Telegram Bot API, free file hosts, or free subdomain hosts, excluding SharePoint."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(body.links) < 20
+  
+  // message contains a link with office file extension in display text
+  and any(body.current_thread.links,
+          // display text suggests an office document
+          regex.icontains(.display_text,
+                          '\.(pdf|doc|docx|xls|xlsx|ppt|pptx|csv)$'
+          )
+          // and it's hosted on Telegram Bot API
+          and (
+            (
+              .href_url.domain.root_domain == "telegram.org"
+              and strings.istarts_with(.href_url.path, '/file/bot')
+            )
+            // or it's a free file host
+            or (
+              .href_url.domain.root_domain in $free_file_hosts
+              and .href_url.domain.root_domain != "sharepoint.com"
+            )
+            or .href_url.domain.root_domain in $free_subdomain_hosts
+            // or it's a mimecast rewrite linking to the above
+            or (
+              .href_url.domain.root_domain == "mimecastprotect.com"
+              and any(.href_url.query_params_decoded["url"],
+                      strings.parse_url(.).domain.root_domain in $free_subdomain_hosts
+                      or strings.parse_url(.).domain.root_domain in $free_file_hosts
+              )
+            )
+          )
+  )
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+  and not profile.by_sender().any_false_positives
+
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Free file host"
+  - "Free subdomain host"
+  - "Social engineering"
+detection_methods:
+  - "URL analysis"
+  - "Content analysis"
+  - "Sender analysis"
+id: "943ead44-cc24-5c50-9793-b20900661b90"
+og_id: "52109bfc-f5a6-50f2-8027-c89311168e94"
+testing_pr: 3409
+testing_sha: 79ab0e736fd424ed47d908b2bf23fdb0aea08a9b
