Skip to content

Create svg_reference_free_file_hosting.yml #3051

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Create svg_reference_free_file_hosting.yml #3051

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
158e0da
Create svg_reference_free_file_hosting.yml
ben-sublime Aug 4, 2025
e4a3882
Auto add rule ID
Aug 4, 2025
32a9a8c
Merge branch 'main' into ben-sublime-patch-2
ben-sublime Aug 5, 2025
403fd99
Update svg_reference_free_file_hosting.yml
ben-sublime Aug 12, 2025
e87d724
Merge branch 'main' into ben-sublime-patch-2
ben-sublime Aug 12, 2025
14713e0
Update svg_reference_free_file_hosting.yml
ben-sublime Aug 12, 2025
6116532
Merge branch 'main' into ben-sublime-patch-2
ben-sublime Aug 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions detection-rules/svg_reference_free_file_hosting.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
name: "SVG file reference with free file hosting from non-freemail sender"
description: "Detects messages containing SVG file references in links, body text, subject, or sender display name, combined with links to free file hosting services from non-freemail domains where the linked domains don't match the sender's domain."
type: "rule"
severity: "medium"
source: |
type.inbound
// length of body links is greater than 0 and less than 10
and 0 < length(body.links) < 10

and length(body.previous_threads) == 0

// sender is not freemail
and sender.email.domain.root_domain not in $free_email_providers

// and no body links match the sender's domain
and all(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
)
// .svg found either in the body links or in the body text, or in certain header fields (subject, display name)
and (
any(body.links, strings.ilike(.display_text, "*.svg*"))
or (strings.icontains(body.current_thread.text, ".svg"))
or any([subject.subject, sender.display_name], strings.icontains(., '.svg'))
)
// any body links are in $free_file_hosts
and any(body.links,
(
.href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_file_hosts
)
// remove free_file_hosts used to host images as links
and not any($file_types_images,
strings.iends_with(..href_url.url, strings.concat('.', .))
)
)
// some exclusions for internal emails
and not (
strings.icontains(body.current_thread.text, "Modify my alert settings")
or strings.icontains(body.current_thread.text, "Requested resource")
or strings.icontains(body.current_thread.text, "against company policy")
)

attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Free file host"
- "Evasion"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
- "URL analysis"
id: "13c1bb93-f4b8-5ba1-b49b-5783eda7dca0"
Loading