heroui logo

Link: Free file host link with 'Important Viewing Note' lure

Sublime Rules

View Source
Summary
This rule detects inbound messages that attempt credential phishing by including links to free file hosting domains and the phrase 'important viewing note' in the message body. It targets messages that masquerade as legitimate institutional or educational communications (e.g., student conduct reports, advancement initiatives) to lend credibility and encourage recipients to click the hosted link. The detection logic requires (1) an inbound data source event, (2) at least one link in the message that resolves to a domain in the $free_file_hosts set, and (3) the text body containing the case-insensitive string 'important viewing note'. This combination suggests a lure designed to harvest credentials or sensitive information by directing users to external file sharing sites. Attack types include Credential Phishing, and the associated tactics include Free file host usage, Social engineering, and Impersonation of a brand. Detection methods involve Content analysis, URL analysis, and Threat intelligence to corroborate the malicious hosting domains. The rule is identified by a UUID and is stored in the referenced file path.
Categories
  • Endpoint
  • Web
  • Network
Data Sources
  • Application Log
  • Network Traffic
Created: 2026-07-16