Free subdomain link with credential theft indicators

 1name: "Free subdomain link with credential theft indicators"
 2description: |
 3    Message contains a suspicious Recipients pattern, a link that uses a free subdomain provider, and has credential theft language on the linked page.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any(body.links,
 9          .href_url.domain.root_domain in $free_subdomain_hosts
10          and .href_url.domain.subdomain is not null
11          and .href_url.domain.subdomain != "www"
12  )
13  and (
14    (
15      (
16        length(recipients.to) == 0
17        or all(recipients.to, .display_name == "Undisclosed recipients")
18      )
19      and length(recipients.cc) == 0
20      and length(recipients.bcc) == 0
21    )
22    or (
23      length(recipients.to) == 1
24      and any(recipients.to, .email.email == sender.email.email)
25    )
26    or (
27      length(recipients.to) == 0
28      and length(recipients.cc) == 0
29      and length(recipients.bcc) > 0
30    )
31  )
32  and any(body.links,
33          any(file.explode(ml.link_analysis(.).screenshot),
34              any(ml.nlu_classifier(.scan.ocr.raw).intents,
35                  .name == "cred_theft" and .confidence != "low"
36              )
37          )
38  )  
39tags:
40  - "Attack surface reduction"
41attack_types:
42  - "Credential Phishing"
43tactics_and_techniques:
44  - "Free subdomain host"
45detection_methods:
46  - "Content analysis"
47  - "Header analysis"
48  - "Natural Language Understanding"
49  - "Optical Character Recognition"
50  - "URL analysis"
51  - "URL screenshot"
52id: "9187479c-8941-5f28-88fe-0735fd2a86bc"