Free subdomain link with credential theft indicators

Message contains a suspicious Recipients pattern, a link that uses a free subdomain provider, and has credential theft language on the linked page.

Sublime rule (View on GitHub)

 1name: "Free subdomain link with credential theft indicators"
 2description: |
 3    Message contains a suspicious Recipients pattern, a link that uses a free subdomain provider, and has credential theft language on the linked page.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any(body.links,
 9          .href_url.domain.root_domain in $free_subdomain_hosts
10          and .href_url.domain.subdomain is not null
11          and .href_url.domain.subdomain != "www"
12  )
13  and (length(recipients.to) == 0 or all(recipients.to, .display_name == "Undisclosed recipients"))
14  and length(recipients.cc) == 0
15  and length(recipients.bcc) == 0
16  and any(body.links,
17          any(file.explode(beta.linkanalysis(.).screenshot),
18              any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft")
19          )
20  )  
21attack_types:
22  - "Credential Phishing"
23tactics_and_techniques:
24  - "Free subdomain host"
25detection_methods:
26  - "Content analysis"
27  - "Header analysis"
28  - "Natural Language Understanding"
29  - "Optical Character Recognition"
30  - "URL analysis"
31  - "URL screenshot"
32id: "9187479c-8941-5f28-88fe-0735fd2a86bc"
to-top