Credential phishing link (first-time sender)

 1name: "Credential phishing link (first-time sender)"
 2description: |
 3    Message contains a link to a credential phishing page from a first-time sender.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any(body.links,
 9          beta.linkanalysis(.).credphish.disposition == "phishing"
10          and beta.linkanalysis(.).credphish.confidence in ("medium", "high")
11  )
12  and (
13    profile.by_sender().prevalence in ("new", "outlier")
14    or (
15      profile.by_sender().any_messages_malicious_or_spam
16      and not profile.by_sender().any_false_positives
17    )
18  )
19
20  // negate highly trusted sender domains unless they fail DMARC authentication
21  and
22  (
23    (
24      sender.email.domain.root_domain in $high_trust_sender_root_domains
25      and (
26        any(distinct(headers.hops, .authentication_results.dmarc is not null),
27            strings.ilike(.authentication_results.dmarc, "*fail")
28        )
29      )
30    )
31    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
32  )  
33
34attack_types:
35  - "Credential Phishing"
36tactics_and_techniques:
37  - "Social engineering"
38detection_methods:
39  - "Computer Vision"
40  - "Sender analysis"
41  - "URL analysis"
42  - "URL screenshot"
43id: "a278012b-6c2b-5bca-b32c-f3663459bb1d"