Credential phishing link (unknown sender)

calendar Apr 30, 2025  ยท
Share on: linkedin copy

Message contains a link to a credential phishing page from an unknown sender.

Sublime rule (View on GitHub)

 1name: "Credential phishing link (unknown sender)"
 2description: |
 3    Message contains a link to a credential phishing page from an unknown sender.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and 0 < length(body.links) < 10
 9  and any(body.links,
10          ml.link_analysis(.).credphish.disposition == "phishing"
11          and (
12             ml.link_analysis(.).credphish.confidence in ("medium", "high")
13             or ml.link_analysis(.).credphish.contains_captcha
14          )
15          and length(ml.link_analysis(.).final_dom.links) < 50
16  )
17  and (
18    (
19      not profile.by_sender().solicited
20      and profile.by_sender().prevalence != "common"
21    )
22    or (
23      profile.by_sender().any_messages_malicious_or_spam
24      and not profile.by_sender().any_false_positives
25    )
26  )
27  // negate legit replies threads
28  and not (
29    (
30      strings.istarts_with(subject.subject, "RE:")
31      // out of office auto-reply
32      or strings.istarts_with(subject.subject, "Automatic reply:")
33    )
34    and (
35      length(headers.references) > 0
36      or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
37    )
38  )
39  // negate highly trusted sender domains unless they fail DMARC authentication
40  and (
41    (
42      sender.email.domain.root_domain in $high_trust_sender_root_domains
43      and not headers.auth_summary.dmarc.pass
44    )
45    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
46  )
47  
48  // exclude bounce backs & read receipts
49  and not strings.like(sender.email.local_part,
50                       "*postmaster*",
51                       "*mailer-daemon*",
52                       "*administrator*"
53  )
54  and not regex.icontains(subject.subject, "^(undeliverable|read:)")
55  and not any(attachments, .content_type == "message/delivery-status")
56  // if the "References" is in the body of the message, it's probably a bounce
57  and not any(headers.references, strings.contains(body.html.display_text, .))
58  and not profile.by_sender().any_false_positives  
59
60
61attack_types:
62  - "Credential Phishing"
63tactics_and_techniques:
64  - "Social engineering"
65detection_methods:
66  - "Computer Vision"
67  - "Sender analysis"
68  - "URL analysis"
69  - "URL screenshot"
70id: "a278012b-6c2b-5bca-b32c-f3663459bb1d"
to-top