Credential phishing link (unknown sender)

Message contains a link to a credential phishing page from an unknown sender.

Sublime rule (View on GitHub)

 1name: "Credential phishing link (unknown sender)"
 2description: |
 3    Message contains a link to a credential phishing page from an unknown sender.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and 0 < length(body.links) < 10
 9  and any(body.links,
10          ml.link_analysis(.).credphish.disposition == "phishing"
11          and ml.link_analysis(.).credphish.confidence in ("medium", "high")
12  )
13  and (
14    (
15      not profile.by_sender().solicited
16      and profile.by_sender().prevalence != "common"
17    )
18    or (
19      profile.by_sender().any_messages_malicious_or_spam
20      and not profile.by_sender().any_false_positives
21    )
22  )
23  // negate legit replies threads
24  and not (
25    (
26      strings.istarts_with(subject.subject, "RE:")
27      // out of office auto-reply
28      or strings.istarts_with(subject.subject, "Automatic reply:")
29    )
30    and (
31      length(headers.references) > 0
32      or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
33    )
34  )
35  // negate highly trusted sender domains unless they fail DMARC authentication
36  and (
37    (
38      sender.email.domain.root_domain in $high_trust_sender_root_domains
39      and not headers.auth_summary.dmarc.pass
40    )
41    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
42  )
43  
44  // exclude bounce backs & read receipts
45  and not strings.like(sender.email.local_part,
46                       "*postmaster*",
47                       "*mailer-daemon*",
48                       "*administrator*"
49  )
50  and not regex.icontains(subject.subject, "^(undeliverable|read:)")
51  and not any(attachments, .content_type == "message/delivery-status")
52  // if the "References" is in the body of the message, it's probably a bounce
53  and not any(headers.references, strings.contains(body.html.display_text, .))
54  and not profile.by_sender().any_false_positives  
55
56
57attack_types:
58  - "Credential Phishing"
59tactics_and_techniques:
60  - "Social engineering"
61detection_methods:
62  - "Computer Vision"
63  - "Sender analysis"
64  - "URL analysis"
65  - "URL screenshot"
66id: "a278012b-6c2b-5bca-b32c-f3663459bb1d"
to-top