High Severity
Brand Impersonation: WeTransfer
Description
Detects messages claiming to be from WeTransfer that contain suspicious indicators, including misspelled domains, non-standard TLDs, suspicious file reference numbers, and French language variations. Excludes legitimate WeTransfer traffic with valid DMARC authentication.
References
No references.
Sublime Security
Created Mar 12th, 2025 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and 2 of (
(
strings.ilike(sender.display_name, '*wetransfer*')
or strings.ilike(sender.display_name, '*we transfer*')
or strings.ilevenshtein(sender.display_name, "wetransfer") <= 1
),
// Check for misspelled wetransfer domains in sender email
regex.icontains(sender.email.email, 'nore?pl[a@]y@wetransfer'),
// Check for non-legitimate TLDs (.fr or others)
regex.icontains(sender.email.domain.root_domain, 'wetransfer\\.[a-z]{2,4}$'),
// Suspicious subject patterns
regex.icontains(subject.subject,
'(?:Documents?|Files?) (?:Received|Sent) (?:via)? WeTransfer'
),
// Check for file reference numbers which are common in phishing
regex.icontains(subject.subject,
'WeTransfer \[(?:File No\.|)\s*:\s*[0-9-]+\s*\]'
),
// French language patterns
regex.icontains(subject.subject, 'vous a envoy[ée] .{1,30} par WeTransfer'),
regex.icontains(subject.subject, "T[ÉE]L[ÉE]CHARGEZ VOTRE FICHIER"),
regex.icontains(body.current_thread.text, 'transfert expirera'),
regex.icontains(body.current_thread.text,
"fichiers n'aient pas encore été téléchargés"
),
any(body.links,
strings.ilike(.display_text, '*wetransfer*')
and .href_url.domain.root_domain not in~ ('wetransfer.com', 'we.tl')
),
any(body.links,
(
.href_url.domain.root_domain in $free_file_hosts
and .href_url.domain.root_domain not in~ ('wetransfer.com', 'we.tl')
)
or network.whois(.href_url.domain).days_old < 30
or .href_url.domain.tld in $suspicious_tlds
)
)
and not (
sender.email.domain.root_domain in ("wetransfer.com", "we.tl")
and headers.auth_summary.dmarc.pass
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.