Credential phishing link (unknown sender)

Message contains a link to a credential phishing page from an unknown sender.

Sublime rule (View on GitHub)

 1name: "Credential phishing link (unknown sender)"
 2description: |
 3    Message contains a link to a credential phishing page from an unknown sender.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and 0 < length(body.links) < 10
 9  and any(body.links,
10          beta.linkanalysis(.).credphish.disposition == "phishing"
11          and beta.linkanalysis(.).credphish.confidence in ("medium", "high")
12  )
13  and (
14    (
15      not profile.by_sender().solicited
16      and profile.by_sender().prevalence != "common"
17    )
18    or (
19      profile.by_sender().any_messages_malicious_or_spam
20      and not profile.by_sender().any_false_positives
21    )
22  )
23  // negate legit replies threads
24  and not (
25    (
26      strings.istarts_with(subject.subject, "RE:")
27      // out of office auto-reply
28      or strings.istarts_with(subject.subject, "Automatic reply:")
29    )
30    and (
31      length(headers.references) > 0
32      or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
33    )
34  )
35  // negate highly trusted sender domains unless they fail DMARC authentication
36  and (
37    (
38      sender.email.domain.root_domain in $high_trust_sender_root_domains
39      and (
40        any(distinct(headers.hops, .authentication_results.dmarc is not null),
41            strings.ilike(.authentication_results.dmarc, "*fail")
42        )
43      )
44    )
45    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
46  )
47  
48  // exclude bounce backs & read receipts
49  and not strings.like(sender.email.local_part,
50                       "*postmaster*",
51                       "*mailer-daemon*",
52                       "*administrator*"
53  )
54  and not regex.icontains(subject.subject, "^(undeliverable|read:)")
55  and not any(attachments, .content_type == "message/delivery-status")
56  // if the "References" is in the body of the message, it's probably a bounce
57  and not any(headers.references, strings.contains(body.html.display_text, .))
58  and not profile.by_sender().any_false_positives  
59
60
61attack_types:
62  - "Credential Phishing"
63tactics_and_techniques:
64  - "Social engineering"
65detection_methods:
66  - "Computer Vision"
67  - "Sender analysis"
68  - "URL analysis"
69  - "URL screenshot"
70id: "a278012b-6c2b-5bca-b32c-f3663459bb1d"
to-top