Link: Credential theft with invisible Unicode character in page title from unsolicited sender

 1name: "Link: Credential theft with invisible Unicode character in page title from unsolicited sender"
 2description: "Detects messages containing credential theft language and links to pages with invisible Unicode characters in the title tag, a technique commonly used to evade detection in fraudulent pages."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // single recipient
 8  and length(recipients.to) == 1
 9  // valid recipient domain
10  and recipients.to[0].email.domain.valid
11  // between 1 and 14 links in the email
12  and 0 < length(body.links) < 15
13  // length of current thread is under 11k
14  and length(body.current_thread.text) < 11000
15  // tycoon captchas often have a page title with a specific unicode invisible char
16  and any(body.links,
17          strings.contains(ml.link_analysis(., mode="aggressive").final_dom.raw,
18                           "<title>\u{200B}</title>"
19          )
20          and length(ml.link_analysis(., mode="aggressive").final_dom.raw) < 10000
21  )
22  // unsolicited message
23  and not profile.by_sender().solicited  
24attack_types:
25  - "Credential Phishing"
26tactics_and_techniques:
27  - "Evasion"
28  - "Social engineering"
29detection_methods:
30  - "Natural Language Understanding"
31  - "Content analysis"
32  - "HTML analysis"
33  - "URL analysis"
34  - "URL screenshot"
35id: "5fe14d53-ef7f-5edb-a4a8-d2912382b564"