Issuu Document With Suspicious Embedded Link

calendar May 5, 2025  ·
Share on: linkedin copy

Detects when an Issuu document contains suspicious links or text, where the document is set to open in full screen mode. The rule analyzes both embedded links and document content for malicious indicators, particularly focusing on suspicious top-level domains and language patterns.

Sublime rule (View on GitHub)

 1name: "Issuu Document With Suspicious Embedded Link"
 2description: "Detects when an Issuu document contains suspicious links or text, where the document is set to open in full screen mode. The rule analyzes both embedded links and document content for malicious indicators, particularly focusing on suspicious top-level domains and language patterns."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          .href_url.domain.root_domain == "issuu.com"
 9          and .href_url.query_params == "fr=xKAE9_zU1NQ" // opens the document full screen
10          // suspicious link in the Issuu document
11          and (
12            any(filter(ml.link_analysis(., mode="aggressive").additional_responses,
13                       strings.icontains(.url.path, "/links/")
14                ),
15                // less than 3 links in the Issuu document
16                length(.json["1"]) < 3
17                and any(.json["1"],
18                    strings.parse_url(.["url"]).domain.tld in $suspicious_tlds
19                    or strings.parse_url(.["url"]).domain.domain in $free_subdomain_hosts
20                    or strings.parse_url(.["url"]).domain.root_domain in $free_subdomain_hosts
21                    or ml.link_analysis(strings.parse_url(.["url"])).credphish.disposition == "phishing"
22                )
23            )
24            // or, credential phishing language on the page
25            or any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.,
26                                                               mode="aggressive"
27                                              ).screenshot
28                                     ).text
29                   ).intents,
30                   .name == "cred_theft" and .confidence != "low"
31            )
32          )
33  )
34  and not profile.by_sender_email().any_messages_benign  
35
36attack_types:
37  - "Credential Phishing"
38tactics_and_techniques:
39  - "Social engineering"
40  - "Free file host"
41  - "Evasion"
42detection_methods:
43  - "URL analysis"
44  - "URL screenshot"
45  - "Natural Language Understanding"
46  - "Optical Character Recognition"
47id: "0d73f43d-d9b4-594d-ba63-7b93784fb33f"
to-top