Link: HR impersonation with suspicious domain indicators and credential theft

calendar Dec 3, 2025  ·
Share on: linkedin copy

Detects messages impersonating HR departments containing many links with malformed domains, suspicious TLD patterns, and credential theft language detected through URL analysis.

Sublime rule (View on GitHub)

 1name: "Link: HR impersonation with suspicious domain indicators and credential theft"
 2description: "Detects messages impersonating HR departments containing many links with malformed domains, suspicious TLD patterns, and credential theft language detected through URL analysis."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // high number of links
 8  and length(body.links) > 20
 9  // hr-related subject or sender
10  and (
11    regex.icontains(sender.display_name, "\\bhr\\b")
12    or strings.icontains(sender.display_name, "human resources")
13    or strings.icontains(sender.display_name, "employee relation")
14    or regex.icontains(subject.subject, "sal[ai1l|]r[i1l|]es")
15    or regex.icontains(subject.subject, "hr__.{0,30}")
16    or regex.icontains(subject.subject, "work.{0,5}hours")
17    or regex.icontains(subject.subject,
18                       "instant:.{0,20}(salaries|salary|changed|update)"
19    )
20    or strings.icontains(body.current_thread.text, "vacation plan")
21  )
22  // suspect domain irregularities (like www.,company.com)
23  and any(body.links,
24          (
25            // malformed domains with comma variations
26            regex.icontains(.display_text, "www.?,")
27            // multiple consecutive dots
28            or regex.icontains(.display_text, "\\.{2,}")
29            // comma in domain position  
30            or regex.icontains(.display_text, "\\.,")
31            // suspicious TLD patterns that might be typosquatting
32            or regex.icontains(.display_text, "\\.(tu|cg|mv|tk|3v|ct|jh)/")
33            // random characters in TLD position
34            or regex.icontains(.display_text,
35                               "\\.[a-z0-9]{1,3}/[a-z0-9]+/[a-z0-9]+/"
36            )
37            // URLs that contain obvious credential theft terms in the path
38            or regex.icontains(.display_text,
39                               "/(sal[ai1l|]r[i1l|]es|login|auth|verify|portal|payment)/"
40            )
41          )
42          and .visible == true
43          and any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.).screenshot).text).intents,
44                  .name == "cred_theft" and .confidence == "high"
45          )
46  )
47  // exclusions for legitimate sources 
48  and not any(ml.nlu_classifier(body.current_thread.text).topics,
49              .name in (
50                "Security and Authentication",
51                "Secure Message",
52                "Newsletters and Digests",
53                "Entertainment and Sports"
54              )
55              and .confidence in ("medium", "high")
56  )
57  // exclude messages with a bunch of previous corrospondance
58  and not length(body.previous_threads) > 5  
59
60attack_types:
61  - "Credential Phishing"
62tactics_and_techniques:
63  - "Impersonation: Employee"
64  - "Social engineering"
65  - "Lookalike domain"
66detection_methods:
67  - "Content analysis"
68  - "Natural Language Understanding"
69  - "Computer Vision"
70  - "URL analysis"
71  - "URL screenshot"
72id: "f31f8831-905e-5384-97b3-70f6f84c7fcc"
to-top