Credential phishing link (unknown sender)
Message contains a link to a credential phishing page from an unknown sender.
Sublime rule (View on GitHub)
1name: "Credential phishing link (unknown sender)"
2description: |
3 Message contains a link to a credential phishing page from an unknown sender.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and 0 < length(body.links) < 10
9 and any(body.links,
10 ml.link_analysis(.).credphish.disposition == "phishing"
11 and (
12 ml.link_analysis(.).credphish.confidence in ("medium", "high")
13 or ml.link_analysis(.).credphish.contains_captcha
14 )
15 and length(ml.link_analysis(.).final_dom.links) < 50
16 )
17 and (
18 (
19 not profile.by_sender().solicited
20 and profile.by_sender().prevalence != "common"
21 )
22 or (
23 profile.by_sender().any_messages_malicious_or_spam
24 and not profile.by_sender().any_false_positives
25 )
26 )
27 // negate legit replies threads
28 and not (
29 (
30 strings.istarts_with(subject.subject, "RE:")
31 // out of office auto-reply
32 or strings.istarts_with(subject.subject, "Automatic reply:")
33 )
34 and (
35 length(headers.references) > 0
36 or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
37 )
38 )
39 // negate highly trusted sender domains unless they fail DMARC authentication
40 and (
41 (
42 sender.email.domain.root_domain in $high_trust_sender_root_domains
43 and not headers.auth_summary.dmarc.pass
44 )
45 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
46 )
47
48 // exclude bounce backs & read receipts
49 and not strings.like(sender.email.local_part,
50 "*postmaster*",
51 "*mailer-daemon*",
52 "*administrator*"
53 )
54 and not regex.icontains(subject.subject, "^(undeliverable|read:)")
55 and not any(attachments, .content_type == "message/delivery-status")
56 // if the "References" is in the body of the message, it's probably a bounce
57 and not any(headers.references, strings.contains(body.html.display_text, .))
58 and not profile.by_sender().any_false_positives
59
60
61attack_types:
62 - "Credential Phishing"
63tactics_and_techniques:
64 - "Social engineering"
65detection_methods:
66 - "Computer Vision"
67 - "Sender analysis"
68 - "URL analysis"
69 - "URL screenshot"
70id: "a278012b-6c2b-5bca-b32c-f3663459bb1d"