Credential phishing: Engaging language with IPFS link

 1name: "Credential phishing: Engaging language with IPFS link"
 2description: |
 3    Body contains credential theft indicators, and contains a link to an IPFS site. IPFS has been recently observed hosting phishing sites.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and strings.ilike(body.html.display_text, "*expir*")
 9  and strings.ilike(body.html.display_text, "*password*")
10  and any(ml.nlu_classifier(body.current_thread.text).intents,
11          .name == "cred_theft"
12  )
13  and any(body.links,
14          strings.icontains(ml.link_analysis(.).effective_url.url, 'ipfs')
15          or (
16            regex.icontains(ml.link_analysis(.).effective_url.path,
17                            '[\.-/]ipfs|ipfs[\.-/]'
18            )
19            and ml.link_analysis(.).effective_url.domain.domain not in $org_domains
20            and (
21              (
22                // don't include high rep domains
23                ml.link_analysis(.).effective_url.domain.domain not in $tranco_1m
24                and ml.link_analysis(.).effective_url.domain.domain not in $umbrella_1m
25              )
26              // if it's in Tranco or Umbrella, still include it if it's one of these
27              or ml.link_analysis(.).effective_url.domain.domain in $free_file_hosts
28              or ml.link_analysis(.).effective_url.domain.root_domain in $free_file_hosts
29              or ml.link_analysis(.).effective_url.domain.root_domain in $free_subdomain_hosts
30            )
31          )
32  )  
33
34attack_types:
35  - "Credential Phishing"
36tactics_and_techniques:
37  - "Free file host"
38  - "Free subdomain host"
39  - "IPFS"
40detection_methods:
41  - "Content analysis"
42  - "Natural Language Understanding"
43  - "URL analysis"
44id: "996c4d83-0a13-53e4-928c-6c08caeedab7"