Credential phishing link (first-time sender)
Message contains a link to a credential phishing page from a first-time sender.
Sublime rule (View on GitHub)
1name: "Credential phishing link (first-time sender)"
2description: |
3 Message contains a link to a credential phishing page from a first-time sender.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and any(body.links,
9 beta.linkanalysis(.).credphish.disposition == "phishing"
10 and beta.linkanalysis(.).credphish.brand.confidence in ("medium", "high")
11 )
12 // first-time sender
13 and (
14 (
15 sender.email.domain.root_domain in $free_email_providers
16 and sender.email.email not in $sender_emails
17 )
18 or (
19 sender.email.domain.root_domain not in $free_email_providers
20 and sender.email.domain.domain not in $sender_domains
21 )
22 )
23tags:
24 - "Credential phishing"
25 - "Suspicious link"
26 - "Machine learning"