Medium Severity

File sharing link with a suspicious subject

Labels

BEC/Fraud

Free file host

Description

A file sharing link in the body with a common BEC subject. This rule could be expanded to include additional BEC subjects.

References

No references.

Sublime Security

Created Aug 17th, 2023 • Last updated Jul 16th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and sender.email.domain.root_domain != 'google.com'
and not (
  sender.email.domain.root_domain == "dropbox.com"
  and headers.auth_summary.dmarc.pass
)
and any(body.links,
        (
          .href_url.domain.domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_file_hosts
        )
        and not (
          // negating Google Forms links
          .href_url.domain.domain == "docs.google.com"
          and strings.istarts_with(.href_url.path, "/forms/")
        )
)
and regex.icontains(subject.subject, 'immediately', 'urgent')
and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.