Service abuse: Formester with suspicious link behavior

calendar Dec 19, 2025  ·
Share on: linkedin copy

Detects abuse of the Formester form service where links either redirect to credential phishing pages, contain suspicious top-level domains in the final DOM and/or redirect history, or display 'secure message' text indicating potential credential theft.

Sublime rule (View on GitHub)

 1name: "Service abuse: Formester with suspicious link behavior"
 2description: "Detects abuse of the Formester form service where links either redirect to credential phishing pages, contain suspicious top-level domains in the final DOM and/or redirect history, or display 'secure message' text indicating potential credential theft."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // LA invokes page first before scanning additional links.
 8  and (
 9    any(filter(body.links, .href_url.domain.root_domain == 'formester.com'),
10        (
11          ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
12        )
13        // any links in the final dom lead to a suspicious tld.
14        or any(ml.link_analysis(.).final_dom.links,
15               .href_url.domain.tld in $suspicious_tlds
16               or ml.link_analysis(.href_url).effective_url.domain.tld in $suspicious_tlds
17        )
18  
19        // link redirects to a suspicious TLD.
20        or any(ml.link_analysis(., mode="aggressive").redirect_history,
21               .domain.tld in $suspicious_tlds
22        )
23        // suspicious landing verbiage. Keywords can be expanded.
24        or strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
25                             "secure message"
26        )
27        // suspicious link verbiage.
28        or regex.icontains(.display_text,
29                           "(view|show|download).{0,20}(Doc(ument)?(s)?|files(s)?|attached)"
30        )
31    )
32    // suspicious keywords/phrasing in body.
33    or (
34      any(body.links, .href_url.domain.root_domain == 'formester.com')
35      and strings.icontains(body.current_thread.text,
36                            "use of Microsoft 365 and may contain content"
37      )
38    )
39  )  
40
41attack_types:
42  - "Credential Phishing"
43  - "BEC/Fraud"
44tactics_and_techniques:
45  - "Open redirect"
46  - "Social engineering"
47  - "Free file host"
48detection_methods:
49  - "Computer Vision"
50  - "Content analysis"
51  - "URL analysis"
52  - "URL screenshot"
53id: "e4b74fd4-b659-50c0-980c-74c8fb63aa32"
to-top