Link: URL shortener with copy-paste instructions and credential theft language

 1name: "Link: URL shortener with copy-paste instructions and credential theft language"
 2description: "Detects messages containing only URL shorteners with copy-paste instructions and high-confidence credential theft language, typically used to evade URL analysis by requiring manual URL entry."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.links) > 0
 8  and all(body.current_thread.links,
 9          .href_url.domain.root_domain in $url_shorteners
10  )
11  and (
12    strings.icontains(body.current_thread.text, 'copy')
13    and (
14      strings.icontains(body.current_thread.text, 'pasting')
15      or strings.icontains(body.current_thread.text, 'paste')
16    )
17  )
18  and any(ml.nlu_classifier(body.current_thread.text).intents,
19          .name == 'cred_theft' and .confidence == 'high'
20  )
21  and (
22    // self sender
23    (
24      length(recipients.to) == 1
25      and sender.email.email == recipients.to[0].email.email
26    )
27    // or the sender is all undisclosed or there is no recipients
28    or (
29      length(recipients.to) == 0
30      or all(recipients.to, .email.domain.valid == false)
31    )
32  )
33  // negate display urls that match the sender root domain
34  and not any(body.current_thread.links,
35              .display_url.domain.root_domain == sender.email.domain.root_domain
36  )  
37attack_types:
38  - "Credential Phishing"
39tactics_and_techniques:
40  - "Evasion"
41  - "Social engineering"
42detection_methods:
43  - "Content analysis"
44  - "Natural Language Understanding"
45  - "URL analysis"
46id: "a0a2c573-3686-590e-8715-fc4a32202c92"