• Sublime Core Feed
Medium Severity

Link: Free file hosting with undisclosed recipients

Labels

Credential Phishing
Malware/Ransomware
Free file host
Free subdomain host
Evasion
Header analysis
URL analysis
Sender analysis
Natural Language Understanding

Description

Detects messages containing links to free file hosting or subdomain services that are sent to undisclosed recipients or only CC/BCC recipients. The rule identifies suspicious distribution patterns where legitimate recipients are hidden, potentially indicating mass distribution of malicious content through file sharing platforms.

References

No references.

Sublime Security
Created Aug 7th, 2025 • Last updated Mar 19th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// no previous threads
and (
  length(body.previous_threads) == 0
  // If there is a previous thread, it is unrelated to current thread
  or any(body.previous_threads, .sender.email.email != mailbox.email.email)
)

// few links that aren't "social" links
and 0 < length(filter(body.current_thread.links,
                      .href_url.domain.root_domain not in (
                        'x.com',
                        'facebook.com',
                        'twitter.com',
                        'instagram.com',
                        'youtube.com',
                        'linkedin.com'
                      )
               )
) < 10

// undisclosed recipients or all recipients cc'd
and (
  any(recipients.to, strings.ilike(.display_name, "undisclosed?recipients"))
  or (length(recipients.cc) > 0 and length(recipients.to) == 0)
  or (length(recipients.bcc) > 0 and length(recipients.to) == 0)
  or (
    length(recipients.to) == 1
    and length(recipients.cc) == 0
    and length(recipients.bcc) == 0
    and all(recipients.to, .email.email == sender.email.email)
    and all(recipients.to, .email.email != mailbox.email.email)
  )
)

// links to free file hosts or free subdomain hosts
and any(body.current_thread.links,
        (
          .href_url.domain.root_domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_subdomain_hosts
        )
        and .visible
        and not (
          .href_url.domain.root_domain == "googleusercontent.com"
          and strings.istarts_with(.href_url.path, "/mail-sig")
        )
        and not .href_url.domain.domain in $tenant_domains
)

// negate listmailers & benign threads
and not (
  any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
  or any(ml.nlu_classifier(body.current_thread.text).intents,
         .name == "benign" and .confidence == "high"
  )
)
and not (
  (
    sender.email.domain.root_domain in ("twilio.com", "zendesk.com")
    or headers.return_path.domain.root_domain in ("twilio.com", "zendesk.com")
  )
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

// unsolicited and passing auth, or failing/missing dmarc
and (
  (
    coalesce(headers.auth_summary.dmarc.pass, false)
    and not profile.by_sender().solicited
  )
  or profile.by_sender_email().days_since.last_inbound > 365
  or (not coalesce(headers.auth_summary.dmarc.pass, false))
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started