Credential phishing: Engaging language with IPFS link

 1name: "Credential phishing: Engaging language with IPFS link"
 2description: |
 3    Body contains credential theft indicators, and contains a link to an IPFS site. IPFS has been recently observed hosting phishing sites.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and strings.ilike(body.html.display_text, "*expir*")
 9  and strings.ilike(body.html.display_text, "*password*")
10  and any(ml.nlu_classifier(body.html.display_text).intents, .name == "cred_theft")
11  and any(body.links,
12          strings.icontains(beta.linkanalysis(.).effective_url.url, 'ipfs')
13          or (
14            regex.icontains(beta.linkanalysis(.).effective_url.path, '[\.-/]ipfs|ipfs[\.-/]')
15            and beta.linkanalysis(.).effective_url.domain.domain not in $org_domains
16            and (
17              (
18                // don't include high rep domains
19                beta.linkanalysis(.).effective_url.domain.domain not in $tranco_1m
20                and beta.linkanalysis(.).effective_url.domain.domain not in $umbrella_1m
21              )
22              // if it's in Tranco or Umbrella, still include it if it's one of these
23              or beta.linkanalysis(.).effective_url.domain.domain in $free_file_hosts
24              or beta.linkanalysis(.).effective_url.domain.root_domain in $free_subdomain_hosts
25            )
26          )
27  )  
28attack_types:
29  - "Credential Phishing"
30tactics_and_techniques:
31  - "Free file host"
32  - "Free subdomain host"
33  - "IPFS"
34detection_methods:
35  - "Content analysis"
36  - "Natural Language Understanding"
37  - "URL analysis"
38id: "996c4d83-0a13-53e4-928c-6c08caeedab7"