Credential phishing link (unknown sender)

Message contains a link to a credential phishing page from an unknown sender.

Sublime rule (View on GitHub)

 1name: "Credential phishing link (unknown sender)"
 2description: |
 3    Message contains a link to a credential phishing page from an unknown sender.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and 0 < length(body.links) < 10
 9  and any(body.links,
10          ml.link_analysis(.).credphish.disposition == "phishing"
11          and (
12            ml.link_analysis(.).credphish.confidence in ("medium", "high")
13            or ml.link_analysis(.).credphish.contains_captcha
14          )
15          and length(ml.link_analysis(.).final_dom.links) < 50
16          // negate legitimate use of Google reCAPTCHA embedded badge
17          and not (
18            (
19              ml.link_analysis(.).credphish.brand.name == "Captcha"
20              or ml.link_analysis(.).credphish.contains_captcha
21            )
22            and length(html.xpath(ml.link_analysis(.).final_dom,
23                                  "//div[@class='grecaptcha-badge' and @data-style='bottomright']"
24                       ).nodes
25            ) == 1
26          )
27  )
28  and (
29    (
30      not profile.by_sender().solicited
31      and profile.by_sender().prevalence != "common"
32    )
33    or (
34      profile.by_sender().any_messages_malicious_or_spam
35      and not profile.by_sender().any_messages_benign
36    )
37  )
38  // negate legit replies threads
39  and not (
40    (
41      strings.istarts_with(subject.subject, "RE:")
42      // out of office auto-reply
43      or strings.istarts_with(subject.subject, "Automatic reply:")
44    )
45    and (
46      length(headers.references) > 0
47      or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
48    )
49  )
50  // negate highly trusted sender domains unless they fail DMARC authentication
51  and (
52    (
53      sender.email.domain.root_domain in $high_trust_sender_root_domains
54      and not headers.auth_summary.dmarc.pass
55    )
56    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
57  )
58  
59  // exclude bounce backs & read receipts
60  and not strings.like(sender.email.local_part,
61                       "*postmaster*",
62                       "*mailer-daemon*",
63                       "*administrator*"
64  )
65  and not regex.icontains(subject.subject, "^(undeliverable|read:)")
66  and not any(attachments, .content_type == "message/delivery-status")
67  // if the "References" is in the body of the message, it's probably a bounce
68  and not any(headers.references, strings.contains(body.html.display_text, .))
69  and not profile.by_sender().any_messages_benign  
70
71
72attack_types:
73  - "Credential Phishing"
74tactics_and_techniques:
75  - "Social engineering"
76detection_methods:
77  - "Computer Vision"
78  - "Sender analysis"
79  - "URL analysis"
80  - "URL screenshot"
81id: "a278012b-6c2b-5bca-b32c-f3663459bb1d"
to-top