Link: Financial account issue with suspicious indicators

calendar Mar 24, 2026  ·
Share on: linkedin copy

Detects messages to single recipients containing language about account or payment issues combined with suspicious links or high-confidence credential theft indicators related to financial communications.

Sublime rule (View on GitHub)

 1name: "Link: Financial account issue with suspicious indicators"
 2description: "Detects messages to single recipients containing language about account or payment issues combined with suspicious links or high-confidence credential theft indicators related to financial communications."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // single recipient
 8  and length(recipients.to) == 1
 9  // problem phrase commonly observed in lures
10  and regex.icontains(body.current_thread.text,
11                      '(?:issue|problem) with your.{0,20}(?:card|account|renewal|payment|billing)'
12  )
13  // link is suspicious for one reason or another
14  and any(body.links,
15          (
16            .href_url.domain.domain in $url_shorteners
17            or .href_url.domain.root_domain in $url_shorteners
18            or .href_url.domain.root_domain in $free_file_hosts
19            or .href_url.domain.domain in $free_file_hosts
20            or .href_url.domain.root_domain in $free_subdomain_hosts
21            or .href_url.domain.domain in $free_subdomain_hosts
22            or .href_url.domain.root_domain in $self_service_creation_platform_domains
23            or .href_url.domain.domain in $self_service_creation_platform_domains
24            or .href_url.domain.tld in $suspicious_tlds
25            or network.whois(.href_url.domain).days_old < 30
26            or .href_url.domain.root_domain == 'sa.com'
27          )
28          and not .href_url.domain.root_domain in (
29            'app.link',
30            'sng.link',
31            'onelink.me'
32          )
33          // no campaigns
34          and not regex.icontains(.href_url.url,
35                                  '&utm_(?:campaign|medium|source)'
36          )
37  )
38  
39  // high confidence cred theft with a topic of either financial or payment comms
40  and any(ml.nlu_classifier(body.current_thread.text).intents,
41          .name == 'cred_theft' and .confidence == 'high'
42  )
43  and any(ml.nlu_classifier(body.current_thread.text).topics,
44          .name in ("Financial Communications", "Payment Information")
45          and .confidence == 'high'
46  )
47  // negate highly trusted sender domains unless they fail DMARC authentication
48  and (
49    (
50      sender.email.domain.root_domain in $high_trust_sender_root_domains
51      and not coalesce(headers.auth_summary.dmarc.pass, false)
52    )
53    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
54  )  
55attack_types:
56  - "Credential Phishing"
57tactics_and_techniques:
58  - "Free file host"
59  - "Free subdomain host"
60  - "Social engineering"
61detection_methods:
62  - "Content analysis"
63  - "Natural Language Understanding"
64  - "URL analysis"
65  - "Whois"
66id: "d4d64041-8adb-533b-8918-fac88fb3dfae"
to-top