From 158e0da0020f89828258b3bff1bfab93e9fca1b2 Mon Sep 17 00:00:00 2001
From: ben-sublime <ben.gallitz@sublimesecurity.com>
Date: Mon, 4 Aug 2025 16:19:22 -0500
Subject: [PATCH 1/4] Create svg_reference_free_file_hosting.yml

---
 .../svg_reference_free_file_hosting.yml       | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 detection-rules/svg_reference_free_file_hosting.yml

diff --git a/detection-rules/svg_reference_free_file_hosting.yml b/detection-rules/svg_reference_free_file_hosting.yml
new file mode 100644
index 00000000000..b20be02dc23
--- /dev/null
+++ b/detection-rules/svg_reference_free_file_hosting.yml
@@ -0,0 +1,45 @@
+name: "SVG file reference with free file hosting from non-freemail sender"
+description: "Detects messages containing SVG file references in links, body text, subject, or sender display name, combined with links to free file hosting services from non-freemail domains where the linked domains don't match the sender's domain."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  // length of body links is greater than 0
+  and length(body.links) > 0
+  
+  // sender is not freemail
+  and sender.email.domain.root_domain not in $free_email_providers
+  
+  // and no body links match the sender's domain
+  and all(body.links,
+          .href_url.domain.root_domain != sender.email.domain.root_domain
+  )
+  // .svg found either in the body links or in the body text, or in certain header fields (subject, display name)
+  and (
+    any(body.links, strings.ilike(.display_text, "*.svg*"))
+    or (strings.icontains(body.current_thread.text, ".svg"))
+    or any([subject.subject, sender.display_name], strings.icontains(., '.svg'))
+  )
+  // any body links are in $free_file_hosts
+  and any(body.links,
+          (
+            .href_url.domain.domain in $free_file_hosts
+            or .href_url.domain.root_domain in $free_file_hosts
+          )
+          // remove free_file_hosts used to host images as links
+          and not any($file_types_images,
+                      strings.iends_with(..href_url.url, strings.concat('.', .))
+          )
+  )
+
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Free file host"
+  - "Evasion"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+  - "URL analysis"

From e4a388297641494b7efa1afc2a83e6478532fd37 Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Mon, 4 Aug 2025 21:38:45 +0000
Subject: [PATCH 2/4] Auto add rule ID

---
 detection-rules/svg_reference_free_file_hosting.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/svg_reference_free_file_hosting.yml b/detection-rules/svg_reference_free_file_hosting.yml
index b20be02dc23..50ac19a3911 100644
--- a/detection-rules/svg_reference_free_file_hosting.yml
+++ b/detection-rules/svg_reference_free_file_hosting.yml
@@ -43,3 +43,4 @@ detection_methods:
   - "Header analysis"
   - "Sender analysis"
   - "URL analysis"
+id: "13c1bb93-f4b8-5ba1-b49b-5783eda7dca0"

From 403fd99874761dd04b538575f220fec15457e0a8 Mon Sep 17 00:00:00 2001
From: ben-sublime <ben.gallitz@sublimesecurity.com>
Date: Tue, 12 Aug 2025 09:57:47 -0500
Subject: [PATCH 3/4] Update svg_reference_free_file_hosting.yml

Added some exceptions that came up while in test rules.
---
 detection-rules/svg_reference_free_file_hosting.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/detection-rules/svg_reference_free_file_hosting.yml b/detection-rules/svg_reference_free_file_hosting.yml
index 50ac19a3911..a599152387b 100644
--- a/detection-rules/svg_reference_free_file_hosting.yml
+++ b/detection-rules/svg_reference_free_file_hosting.yml
@@ -31,6 +31,11 @@ source: |
                       strings.iends_with(..href_url.url, strings.concat('.', .))
           )
   )
+  and not (
+    strings.icontains(body.current_thread.text, "Modify my alert settings")
+    or strings.icontains(body.current_thread.text, "Requested resource")
+    or strings.icontains(body.current_thread.text, "against company policy")
+  )
 
 attack_types:
   - "Credential Phishing"

From 14713e0165ce868b6a62b968b2f719a27da17880 Mon Sep 17 00:00:00 2001
From: ben-sublime <ben.gallitz@sublimesecurity.com>
Date: Tue, 12 Aug 2025 13:14:23 -0500
Subject: [PATCH 4/4] Update svg_reference_free_file_hosting.yml

Sam identified a FP and we added a boundary for body.links and exclusion for previous threads.
---
 detection-rules/svg_reference_free_file_hosting.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/detection-rules/svg_reference_free_file_hosting.yml b/detection-rules/svg_reference_free_file_hosting.yml
index a599152387b..7df654d6278 100644
--- a/detection-rules/svg_reference_free_file_hosting.yml
+++ b/detection-rules/svg_reference_free_file_hosting.yml
@@ -4,8 +4,10 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
-  // length of body links is greater than 0
-  and length(body.links) > 0
+  // length of body links is greater than 0 and less than 10
+  and 0 < length(body.links) < 10
+
+  and length(body.previous_threads) == 0
   
   // sender is not freemail
   and sender.email.domain.root_domain not in $free_email_providers
@@ -31,6 +33,7 @@ source: |
                       strings.iends_with(..href_url.url, strings.concat('.', .))
           )
   )
+  // some exclusions for internal emails 
   and not (
     strings.icontains(body.current_thread.text, "Modify my alert settings")
     or strings.icontains(body.current_thread.text, "Requested resource")