[PR #3043] changed rule: Link: Direct link to limewire hosted file

github-actions[bot] · github-actions[bot] · commit df28f37f5fd3 · 2025-08-01T19:34:52.000Z
diff --git a/detection-rules/3043_link_limewire_direct.yml b/detection-rules/3043_link_limewire_direct.yml
@@ -0,0 +1,39 @@
+name: "Link: Direct link to limewire hosted file"
+description: "Message contains exactly one link to limewire.com domain with fewer than 10 total links in the body."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  // there are few links
+  and length(body.links) < 10
+  // contains a link to limewire
+  and any(body.links, .href_url.domain.domain == "limewire.com")
+  // is the only link to limewire
+  and length(filter(body.links,
+                    .href_url.domain.root_domain == "limewire.com"
+                    and strings.istarts_with(.href_url.path, "/d/")
+             )
+  ) == 1
+  and not length(body.previous_threads) > 0
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+  and not profile.by_sender_email().any_messages_benign
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Free file host"
+detection_methods:
+  - "URL analysis"
+  - "Content analysis"
+id: "435fec18-c869-5bda-ad01-0cc32e7e9248"
+og_id: "70840d00-c6e3-59ec-8dc5-8156e61abec6"
+testing_pr: 3043
+testing_sha: 46299c6fc6fdcd61a8e424a673cb92650248a7a3
