Credential phishing link (first-time sender)

Message contains a link to a credential phishing page from a first-time sender.

Sublime rule (View on GitHub)

 1name: "Credential phishing link (first-time sender)"
 2description: |
 3    Message contains a link to a credential phishing page from a first-time sender.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound 
 8  and any(body.links, 
 9      beta.linkanalysis(.).credphish.disposition == "phishing"
10      and beta.linkanalysis(.).credphish.brand.confidence in ("medium", "high")
11  ) 
12  // first-time sender
13  and (
14        (
15            sender.email.domain.root_domain in $free_email_providers
16            and sender.email.email not in $sender_emails
17        )
18        or (
19            sender.email.domain.root_domain not in $free_email_providers
20            and sender.email.domain.domain not in $sender_domains
21        )
22  )  
23tags:
24  - "Credential phishing"
25  - "Suspicious link"
26  - "Machine learning"

Related rules

to-top