Medium Severity
Attachment: RTF file with suspicious link
Description
This rule detects RTF attachments directly attached or within an archive, containing an external link to a suspicious low reputation domain.
References
No references.
Sublime Security
Created Aug 2nd, 2024 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and any(attachments,
(
.file_extension in~ $file_extensions_common_archives
or .file_type == "rtf"
)
and any(file.explode(.),
.flavors.mime == 'text/rtf'
and any(.scan.url.urls,
.domain.valid
and .domain.subdomain is not null
and not (
strings.ends_with(.url, "jpeg")
or strings.ends_with(.url, "png")
)
and (
(
.domain.root_domain not in $tranco_1m
and .domain.root_domain not in $umbrella_1m
)
or (
.domain.root_domain in $free_file_hosts
or .domain.root_domain in $free_file_hosts
or .domain.root_domain in $free_subdomain_hosts
or .domain.root_domain in $url_shorteners
)
// or the url contains the recipient email and the root_domain is not in tranco
or (
any(recipients.to,
strings.icontains(..url, .email.email)
)
and (
.domain.root_domain not in $tranco_1m
and .domain.root_domain not in $umbrella_1m
)
)
)
)
)
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.