Free subdomain link with credential theft indicators

 1name: "Free subdomain link with credential theft indicators"
 2description: |
 3    Message contains a suspicious Recipients pattern, a link that uses a free subdomain provider, and has credential theft language on the linked page.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any(body.links,
 9          .href_url.domain.root_domain in $free_subdomain_hosts
10          and .href_url.domain.subdomain is not null
11          and .href_url.domain.subdomain != "www"
12  )
13  and (length(recipients.to) == 0 or all(recipients.to, .display_name == "Undisclosed recipients"))
14  and length(recipients.cc) == 0
15  and length(recipients.bcc) == 0
16  and any(body.links,
17          any(file.explode(ml.link_analysis(.).screenshot),
18              any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft" and .confidence != "low")
19          )
20  )  
21tags:
22  - "Attack surface reduction"
23attack_types:
24  - "Credential Phishing"
25tactics_and_techniques:
26  - "Free subdomain host"
27detection_methods:
28  - "Content analysis"
29  - "Header analysis"
30  - "Natural Language Understanding"
31  - "Optical Character Recognition"
32  - "URL analysis"
33  - "URL screenshot"
34id: "9187479c-8941-5f28-88fe-0735fd2a86bc"