Credential phishing link (unknown sender)

calendar Apr 14, 2025  ยท
Share on: linkedin copy

Message contains a link to a credential phishing page from an unknown sender.

Sublime rule (View on GitHub)

 1name: "Credential phishing link (unknown sender)"
 2description: |
 3    Message contains a link to a credential phishing page from an unknown sender.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and 0 < length(body.links) < 10
 9  and any(body.links,
10          ml.link_analysis(.).credphish.disposition == "phishing"
11          and (
12             ml.link_analysis(.).credphish.confidence in ("medium", "high")
13             or ml.link_analysis(.).credphish.contains_captcha
14          )
15  )
16  and (
17    (
18      not profile.by_sender().solicited
19      and profile.by_sender().prevalence != "common"
20    )
21    or (
22      profile.by_sender().any_messages_malicious_or_spam
23      and not profile.by_sender().any_false_positives
24    )
25  )
26  // negate legit replies threads
27  and not (
28    (
29      strings.istarts_with(subject.subject, "RE:")
30      // out of office auto-reply
31      or strings.istarts_with(subject.subject, "Automatic reply:")
32    )
33    and (
34      length(headers.references) > 0
35      or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
36    )
37  )
38  // negate highly trusted sender domains unless they fail DMARC authentication
39  and (
40    (
41      sender.email.domain.root_domain in $high_trust_sender_root_domains
42      and not headers.auth_summary.dmarc.pass
43    )
44    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
45  )
46  
47  // exclude bounce backs & read receipts
48  and not strings.like(sender.email.local_part,
49                       "*postmaster*",
50                       "*mailer-daemon*",
51                       "*administrator*"
52  )
53  and not regex.icontains(subject.subject, "^(undeliverable|read:)")
54  and not any(attachments, .content_type == "message/delivery-status")
55  // if the "References" is in the body of the message, it's probably a bounce
56  and not any(headers.references, strings.contains(body.html.display_text, .))
57  and not profile.by_sender().any_false_positives  
58
59
60attack_types:
61  - "Credential Phishing"
62tactics_and_techniques:
63  - "Social engineering"
64detection_methods:
65  - "Computer Vision"
66  - "Sender analysis"
67  - "URL analysis"
68  - "URL screenshot"
69id: "a278012b-6c2b-5bca-b32c-f3663459bb1d"
to-top