Credential phishing content and link (untrusted sender)

calendar Dec 17, 2025  ·
Share on: linkedin copy

Message contains credential theft language and a link to a credential phishing page from an unknown sender. We use Link Analysis in aggressive mode to increase our chances of scanning.

Sublime rule (View on GitHub)

 1name: "Credential phishing content and link (untrusted sender)"
 2description: |
 3  Message contains credential theft language and a link to a credential phishing page from an unknown sender.
 4  We use Link Analysis in aggressive mode to increase our chances of scanning.  
 5type: "rule"
 6severity: "high"
 7source: |
 8  type.inbound
 9  and (
10    any(ml.nlu_classifier(body.current_thread.text).intents,
11        .name == "cred_theft" and .confidence in ("medium", "high")
12    )
13    // embedded in an image attachment
14    // note: don't use message_screenshot() for now
15    // because it's not limited to current_thread and may FP
16    or any(attachments,
17           .file_type in $file_types_images
18           and any(file.explode(.),
19                   any(ml.nlu_classifier(.scan.ocr.raw).intents,
20                       .name == "cred_theft" and .confidence in ("medium", "high")
21                   )
22           )
23    )
24  )
25  and any(body.links,
26          .href_url.domain.root_domain not in ("outlook.com")
27          and .href_url.domain.domain != "play.google.com"
28          and ml.link_analysis(., mode="aggressive").effective_url.domain.domain != "play.google.com"
29          and ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
30          and (
31            ml.link_analysis(., mode="aggressive").credphish.confidence in (
32              "medium",
33              "high"
34            )
35            or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
36          )
37          and not .href_url.domain.root_domain == "c3reservations.com"
38  )
39  and (
40    (
41      profile.by_sender_email().prevalence in ("new", "outlier")
42      and not profile.by_sender_email().solicited
43    )
44    or (
45      profile.by_sender_email().any_messages_malicious_or_spam
46      and not profile.by_sender_email().any_messages_benign
47    )
48    // or there are no recipients
49    or length(recipients.to) == 0
50    // or the recipients are all invalid 
51    or all(recipients.to, .email.domain.valid == false)
52  
53    // or the sender exhibits a "self sender" pattern
54    or (
55      length(recipients.to) == 1
56      and recipients.to[0].email.email == sender.email.email
57    )
58  )
59  
60  // negate docusign 'via' messages
61  and not (
62    any(headers.hops,
63        any(.fields,
64            .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
65        )
66    )
67    and strings.contains(sender.display_name, "via")
68  )
69  
70  // negate docusign originated emails
71  and not any(headers.hops,
72              regex.imatch(.received.server.raw, ".+.docusign.(net|com)")
73  )
74  
75  // negate highly trusted sender domains unless they fail DMARC authentication
76  and (
77    (
78      sender.email.domain.root_domain in $high_trust_sender_root_domains
79      and not headers.auth_summary.dmarc.pass
80    )
81    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
82  )  
83attack_types:
84  - "Credential Phishing"
85tactics_and_techniques:
86  - "Social engineering"
87detection_methods:
88  - "Computer Vision"
89  - "Sender analysis"
90  - "URL analysis"
91  - "URL screenshot"
92id: "f0c95bb7-afeb-5c8d-a654-74b5e026007f"
to-top