type.inbound
and sender.email.domain.domain == "frame.io"
// these messages contain no email address of the actual sender
// so sender profile won't be interesting
// however the subject and sender display names do contain the name of the frame.io account
// which sent the share
// negate where internal employees might have sent the message
and not any($org_display_names, strings.istarts_with(subject.subject, .))
// limiting scope to just "shares" in subject
and strings.icontains(subject.subject, ' shared ')
// the subject contains the name of the file that has been shared
// the body does not contain the name shared depending on how it's shared,
// let us use the suspicious file shares from sharepoint here
// https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/link_sharepoint_sus_name.yml
and (
(
// file sharing service references
strings.icontains(subject.subject, 'dropbox')
or strings.icontains(subject.subject, 'docusign')
// file name lures
// secure theme
or regex.icontains(subject.subject, 'secured?.*(?:file|document|docs|fax)')
or regex.icontains(subject.subject, 'important.*(?:file|document|docs|fax)')
or regex.icontains(subject.subject, 'shared?.*(?:file|document|docs|fax)')
or regex.icontains(subject.subject, 'protected.*(?:file|document|docs|fax)')
or regex.icontains(subject.subject, 'encrypted.*(?:file|document|docs|fax)')
// scanner theme
or strings.icontains(subject.subject, 'scanne[rd]_')
// image themed
or strings.icontains(subject.subject, '_IMG_')
or regex.icontains(subject.subject, '^IMG[_-](?:\d|\W)+$')
// digits
or regex.icontains(subject.subject, 'doc(?:ument)?\s?\d+$')
or regex.icontains(subject.subject, '^\d+$')
// onedrive theme
or strings.icontains(subject.subject, 'one_docx')
or strings.icontains(subject.subject, 'OneDrive')
or regex.icontains(subject.subject, 'A document.*One.?Drive')
// action in file name
or strings.icontains(subject.subject, 'click here')
or strings.icontains(subject.subject, 'Download PDF')
or strings.icontains(subject.subject, 'Validate')
// limited file name to "confidential"
or subject.subject =~ 'Confidentiality'
or subject.subject =~ 'Confidential'
// invoice themes
or any(ml.nlu_classifier(subject.subject).entities, .name == "financial")
or strings.icontains(subject.subject, 'payment')
or strings.icontains(subject.subject, 'invoice')
or regex.icontains(subject.subject, 'INV(?:_|\s)?\d+$')
// starts with INV_ or INV\x20
or regex.icontains(subject.subject, '^INV(?:_|\s)')
or regex.icontains(subject.subject, 'P[O0]\W+?\d+$')
or strings.icontains(subject.subject, 'receipt')
or strings.icontains(subject.subject, 'billing')
or (
strings.icontains(subject.subject, 'statement')
and not subject.subject =~ "Privacy Statement"
)
or strings.icontains(subject.subject, 'Past Due')
or regex.icontains(subject.subject, 'Remit(tance)?')
or strings.icontains(subject.subject, 'Purchase Order')
// contract language
or strings.icontains(subject.subject, 'settlement')
or strings.icontains(subject.subject, 'contract agreement')
or regex.icontains(subject.subject, 'Pr[0o]p[0o]sal')
or strings.icontains(subject.subject, 'contract doc')
)
or any(filter(body.links,
.href_url.domain.root_domain == "frame.io"
and (
strings.starts_with(.href_url.path, '/reviews/')
or strings.starts_with(.href_url.path, '/presentations/')
)
),
// when visiting the page on frame.io, the links contain
// indications of being suspicious
any(filter(ml.link_analysis(.).final_dom.links,
// remove links that are within frame.io or their default page
.href_url.domain.root_domain not in (
'frame.io',
'f.io',
'onetrust.com'
)
),
(
// any of those links domains are new
network.whois(.href_url.domain).days_old < 30
// go to free file hosts
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.domain in $free_file_hosts
// go to free subdomains hosts
or (
.href_url.domain.root_domain in $free_subdomain_hosts
// where there is a subdomain
and .href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
)
// go to url shortners
or .href_url.domain.root_domain in $url_shorteners
or .href_url.domain.root_domain in $social_landing_hosts
or .href_url.domain.domain in $url_shorteners
or .href_url.domain.domain in $social_landing_hosts
or (
// find any links that mention common "action" words
regex.icontains(subject.subject,
'(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
)
and (
// and when visiting those links, are phishing
ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
// hit a captcha page
or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
// or the page redirects to common website, observed when evasion happens
or (
length(ml.link_analysis(., mode="aggressive").redirect_history
) > 0
and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
)
)
)
)
)
// or search for QR codes in the screenshot of the frame.io page
or any(file.explode(ml.link_analysis(.).screenshot),
.depth == 0
and (
(
.scan.qr.type == "url"
and .scan.qr.url.domain.root_domain not in (
'frame.io',
'f.io',
'onetrust.com'
)
)
// some samples have a pdf uploaded that contains a Sharepoint File Share lure.
// we can use ocr to detect this
or strings.icontains(.scan.ocr.raw,
'This email contains a secure link to sharepoint'
)
)
)
)
)
Playground
Test against your own EMLs or sample data.