Body: Fake secure email portal with HTML obfuscation

 1name: "Body: Fake secure email portal with HTML obfuscation"
 2description: "Detects inbound messages with empty subjects impersonating a secure email portal, identified through multiple indicators including hidden HTML characters used to obfuscate the sender address, recipient domain echoed back as a portal sender, template typos, or frozen tracking links associated with known secure messaging infrastructure abuse."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and subject.base == ""
 8  and strings.icontains(body.current_thread.text, "Secure Emails")
 9  and strings.icontains(body.current_thread.text, "Title:")
10  and (
11    // hidden-@ HTML obfuscation
12    regex.icontains(body.html.raw, '<font[^>]+display\s*:\s*none[^>]*>@</font>')
13    // recipient root domain echoed back as a portal sender
14    or any(recipients.to,
15           strings.icontains(body.current_thread.text,
16                             strings.concat("acts@", .email.domain.root_domain)
17           )
18    )
19    // template typo
20    or strings.icontains(body.current_thread.text, "commuication portal")
21    // frozen crId or linkprotect.cudasvc.com inner target
22    or any(body.links,
23           .href_url.domain.domain == "links.us1.defend.egress.com"
24           and (
25             strings.icontains(.href_url.query_params,
26                               "crId=6a17340ad2523c97775fed21"
27             )
28             or strings.icontains(.href_url.query_params,
29                                  "OriginalLink=linkprotect.cudasvc.com"
30             )
31           )
32    )
33  )  
34attack_types:
35  - "Credential Phishing"
36tactics_and_techniques:
37  - "Evasion"
38  - "Social engineering"
39  - "Spoofing"
40detection_methods:
41  - "Content analysis"
42  - "HTML analysis"
43  - "URL analysis"
44  - "Sender analysis"
45  - "Threat intelligence"
46id: "a001584c-f940-516a-8ddf-d8b5be48f8b6"