[PR #3056] changed rule: Link: Free file hosting with undisclosed recipients

github-actions[bot] · github-actions[bot] · commit ef1c20e17270 · 2025-08-06T14:19:23.000Z
diff --git a/detection-rules/3056_link_free_file_hosting_undisclosed_recipients.yml b/detection-rules/3056_link_free_file_hosting_undisclosed_recipients.yml
@@ -0,0 +1,67 @@
+name: "Link: Free file hosting with undisclosed recipients"
+description: "Detects messages containing links to free file hosting or subdomain services that are sent to undisclosed recipients or only CC/BCC recipients. The rule identifies suspicious distribution patterns where legitimate recipients are hidden, potentially indicating mass distribution of malicious content through file sharing platforms."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  // no previous threads
+  and length(body.previous_threads) == 0
+  
+  // few links
+  and 0 < length(body.current_thread.links) < 10
+  
+  // undisclosed recipientsor all recipients cc'd
+  and (
+    any(recipients.to, strings.ilike(.display_name, "undisclosed?recipients"))
+    or (length(recipients.cc) > 0 and length(recipients.to) == 0)
+    or (length(recipients.bcc) > 0 and length(recipients.to) == 0)
+  )
+  
+  // links to free file hosts or free subdomain hosts
+  and any(body.current_thread.links,
+          (
+            .href_url.domain.root_domain in $free_file_hosts
+            or .href_url.domain.root_domain in $free_subdomain_hosts
+          )
+          and .href_url.domain.subdomain is not null
+          and .visible
+          and not (
+            .href_url.domain.root_domain == "googleusercontent.com"
+            and strings.istarts_with(.href_url.path, "/mail-sig")
+          )
+  )
+  
+  // negate listmailers & benign threads
+  and not (
+    any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
+    or any(ml.nlu_classifier(body.current_thread.text).intents,
+           .name == "benign" and .confidence == "high"
+    )
+  )
+  
+  // unsolicited and passing auth, or failing/missing dmarc
+  and (
+    (
+      coalesce(headers.auth_summary.dmarc.pass, false)
+      and not profile.by_sender().solicited
+    )
+    or (not coalesce(headers.auth_summary.dmarc.pass, false))
+  )
+  
+
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Free file host"
+  - "Free subdomain host"
+  - "Evasion"
+detection_methods:
+  - "Header analysis"
+  - "URL analysis"
+  - "Sender analysis"
+  - "Natural Language Understanding"
+id: "11681f39-a403-5541-bd16-5269a4e4e8f7"
+og_id: "b6281306-bf26-58e2-8445-0ef8d05d9820"
+testing_pr: 3056
+testing_sha: 0ea3323787c6a2c9aa547494b461135c24f49cfa
