Credential phishing link (unknown sender)
Message contains a link to a credential phishing page from an unknown sender.
Sublime rule (View on GitHub)
1name: "Credential phishing link (unknown sender)"
2description: |
3 Message contains a link to a credential phishing page from an unknown sender.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and 0 < length(body.links) < 10
9 and any(body.links,
10 beta.linkanalysis(.).credphish.disposition == "phishing"
11 and beta.linkanalysis(.).credphish.confidence in ("medium", "high")
12 )
13 and (
14 (
15 not profile.by_sender().solicited
16 and profile.by_sender().prevalence != "common"
17 )
18 or (
19 profile.by_sender().any_messages_malicious_or_spam
20 and not profile.by_sender().any_false_positives
21 )
22 )
23 // negate legit replies threads
24 and not (
25 (
26 strings.istarts_with(subject.subject, "RE:")
27 // out of office auto-reply
28 or strings.istarts_with(subject.subject, "Automatic reply:")
29 )
30 and (
31 length(headers.references) > 0
32 or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
33 )
34 )
35 // negate highly trusted sender domains unless they fail DMARC authentication
36 and (
37 (
38 sender.email.domain.root_domain in $high_trust_sender_root_domains
39 and (
40 any(distinct(headers.hops, .authentication_results.dmarc is not null),
41 strings.ilike(.authentication_results.dmarc, "*fail")
42 )
43 )
44 )
45 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
46 )
47
48 // exclude bounce backs & read receipts
49 and not strings.like(sender.email.local_part,
50 "*postmaster*",
51 "*mailer-daemon*",
52 "*administrator*"
53 )
54 and not regex.icontains(subject.subject, "^(undeliverable|read:)")
55 and not any(attachments, .content_type == "message/delivery-status")
56 // if the "References" is in the body of the message, it's probably a bounce
57 and not any(headers.references, strings.contains(body.html.display_text, .))
58 and not profile.by_sender().any_false_positives
59
60
61attack_types:
62 - "Credential Phishing"
63tactics_and_techniques:
64 - "Social engineering"
65detection_methods:
66 - "Computer Vision"
67 - "Sender analysis"
68 - "URL analysis"
69 - "URL screenshot"
70id: "a278012b-6c2b-5bca-b32c-f3663459bb1d"