Credential phishing link (unknown sender)

calendar Jun 5, 2026  ยท
Share on: linkedin copy

Message contains a link to a credential phishing page from an unknown sender.

Sublime rule (View on GitHub)

 1name: "Credential phishing link (unknown sender)"
 2description: |
 3    Message contains a link to a credential phishing page from an unknown sender.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and 0 < length(body.links) < 10
 9  and any(body.links,
10          ml.link_analysis(.).credphish.disposition == "phishing"
11          and (
12            ml.link_analysis(.).credphish.confidence in ("medium", "high")
13            or ml.link_analysis(.).credphish.contains_captcha
14          )
15          and length(ml.link_analysis(.).final_dom.links) < 50
16          // negate legitimate use of Google reCAPTCHA embedded badge
17          and not (
18            (
19              ml.link_analysis(.).credphish.brand.name == "Captcha"
20              or ml.link_analysis(.).credphish.contains_captcha
21            )
22            and length(html.xpath(ml.link_analysis(.).final_dom,
23                                  "//div[@class='grecaptcha-badge' and @data-style='bottomright']"
24                       ).nodes
25            ) == 1
26          )
27  )
28  and (
29    (
30      not profile.by_sender().solicited
31      and profile.by_sender().prevalence != "common"
32    )
33    or (
34      profile.by_sender().any_messages_malicious_or_spam
35      and not profile.by_sender().any_messages_benign
36    )
37  )
38  // negate legit replies threads
39  and not (
40    (
41      strings.istarts_with(subject.subject, "RE:")
42      // out of office auto-reply
43      or strings.istarts_with(subject.subject, "Automatic reply:")
44    )
45    and (length(headers.references) > 0 or headers.in_reply_to is not null)
46  )
47  // negate highly trusted sender domains unless they fail DMARC authentication
48  and (
49    (
50      sender.email.domain.root_domain in $high_trust_sender_root_domains
51      and not headers.auth_summary.dmarc.pass
52    )
53    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
54  )
55  
56  // exclude bounce backs & read receipts
57  and not strings.like(sender.email.local_part,
58                       "*postmaster*",
59                       "*mailer-daemon*",
60                       "*administrator*"
61  )
62  and not regex.icontains(subject.subject, "^(undeliverable|read:)")
63  and not any(attachments, .content_type == "message/delivery-status")
64  // if the "References" is in the body of the message, it's probably a bounce
65  and not any(headers.references, strings.contains(body.html.display_text, .))
66  and not profile.by_sender().any_messages_benign  
67attack_types:
68  - "Credential Phishing"
69tactics_and_techniques:
70  - "Social engineering"
71detection_methods:
72  - "Computer Vision"
73  - "Sender analysis"
74  - "URL analysis"
75  - "URL screenshot"
76id: "a278012b-6c2b-5bca-b32c-f3663459bb1d"
to-top