Credential phishing link (first-time sender)
Message contains a link to a credential phishing page from a first-time sender.
Sublime rule (View on GitHub)
1name: "Credential phishing link (first-time sender)"
2description: |
3 Message contains a link to a credential phishing page from a first-time sender.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and any(body.links,
9 beta.linkanalysis(.).credphish.disposition == "phishing"
10 and beta.linkanalysis(.).credphish.confidence in ("medium", "high")
11 )
12 and (
13 profile.by_sender().prevalence in ("new", "outlier")
14 or (
15 profile.by_sender().any_messages_malicious_or_spam
16 and not profile.by_sender().any_false_positives
17 )
18 )
19
20 // negate highly trusted sender domains unless they fail DMARC authentication
21 and
22 (
23 (
24 sender.email.domain.root_domain in $high_trust_sender_root_domains
25 and (
26 any(distinct(headers.hops, .authentication_results.dmarc is not null),
27 strings.ilike(.authentication_results.dmarc, "*fail")
28 )
29 )
30 )
31 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
32 )
33
34attack_types:
35 - "Credential Phishing"
36tactics_and_techniques:
37 - "Social engineering"
38detection_methods:
39 - "Computer Vision"
40 - "Sender analysis"
41 - "URL analysis"
42 - "URL screenshot"
43id: "a278012b-6c2b-5bca-b32c-f3663459bb1d"