Credential phishing link (unknown sender)
Message contains a link to a credential phishing page from an unknown sender.
Sublime rule (View on GitHub)
1name: "Credential phishing link (unknown sender)"
2description: |
3 Message contains a link to a credential phishing page from an unknown sender.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and 0 < length(body.links) < 10
9 and any(body.links,
10 ml.link_analysis(.).credphish.disposition == "phishing"
11 and (
12 ml.link_analysis(.).credphish.confidence in ("medium", "high")
13 or ml.link_analysis(.).credphish.contains_captcha
14 )
15 and length(ml.link_analysis(.).final_dom.links) < 50
16 // negate legitimate use of Google reCAPTCHA embedded badge
17 and not (
18 (
19 ml.link_analysis(.).credphish.brand.name == "Captcha"
20 or ml.link_analysis(.).credphish.contains_captcha
21 )
22 and length(html.xpath(ml.link_analysis(.).final_dom,
23 "//div[@class='grecaptcha-badge' and @data-style='bottomright']"
24 ).nodes
25 ) == 1
26 )
27 )
28 and (
29 (
30 not profile.by_sender().solicited
31 and profile.by_sender().prevalence != "common"
32 )
33 or (
34 profile.by_sender().any_messages_malicious_or_spam
35 and not profile.by_sender().any_messages_benign
36 )
37 )
38 // negate legit replies threads
39 and not (
40 (
41 strings.istarts_with(subject.subject, "RE:")
42 // out of office auto-reply
43 or strings.istarts_with(subject.subject, "Automatic reply:")
44 )
45 and (
46 length(headers.references) > 0
47 or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
48 )
49 )
50 // negate highly trusted sender domains unless they fail DMARC authentication
51 and (
52 (
53 sender.email.domain.root_domain in $high_trust_sender_root_domains
54 and not headers.auth_summary.dmarc.pass
55 )
56 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
57 )
58
59 // exclude bounce backs & read receipts
60 and not strings.like(sender.email.local_part,
61 "*postmaster*",
62 "*mailer-daemon*",
63 "*administrator*"
64 )
65 and not regex.icontains(subject.subject, "^(undeliverable|read:)")
66 and not any(attachments, .content_type == "message/delivery-status")
67 // if the "References" is in the body of the message, it's probably a bounce
68 and not any(headers.references, strings.contains(body.html.display_text, .))
69 and not profile.by_sender().any_messages_benign
70
71
72attack_types:
73 - "Credential Phishing"
74tactics_and_techniques:
75 - "Social engineering"
76detection_methods:
77 - "Computer Vision"
78 - "Sender analysis"
79 - "URL analysis"
80 - "URL screenshot"
81id: "a278012b-6c2b-5bca-b32c-f3663459bb1d"