[PR #3036] changed rule: Catbox.moe Link From Untrusted Source

Author: github-actions[bot]

detection-rules/3036_link_catbox.yml

@@ -0,0 +1,33 @@
+name: "Catbox.moe Link From Untrusted Source"
+description: "Detects messages containing links to catbox.moe file hosting service from senders who either aren't in highly trusted domains or failed DMARC authentication"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(body.links,
+          .href_url.domain.root_domain == "catbox.moe"
+          and not strings.iends_with(.href_url.path, ".json")
+  )
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Free file host"
+  - "Social engineering"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"
+  - "URL analysis"
+id: "b1a3ff45-a9ef-5ede-acc6-6838d0b83db9"
+og_id: "d6041a8b-55a9-5016-b214-ba021f4eba64"
+testing_pr: 3036
+testing_sha: 41d33c53cfe19b6089db263a0199fffa2c3fd40c