Link: Invoice or receipt from freemail sender with customer service number

 1name: "Link: Invoice or receipt from freemail sender with customer service number"
 2description: |
 3    An email from a freemail sender which instructs the recipient to call a fraudulent customer service number.
 4type: "rule"
 5severity: "low"
 6authors:
 7  - twitter: "vector_sec"
 8source: |
 9  type.inbound
10  and sender.email.domain.root_domain in $free_email_providers
11  and any(body.links,
12          .display_text == "Unsubscribe"
13          and (
14            length(.href_url.query_params) == 0 or .href_url.query_params is null
15          )
16          and (
17            .href_url.path == "/"
18            or .href_url.path is null
19            or (
20              .href_url.domain.root_domain == "google.com"
21              and not strings.ilike(.href_url.path, "*/forms/*")
22            )
23          )
24  )
25  and sender.email.email not in $sender_emails  
26attack_types:
27  - "BEC/Fraud"
28  - "Callback Phishing"
29tactics_and_techniques:
30  - "Free email provider"
31  - "Impersonation: Brand"
32  - "Social engineering"
33detection_methods:
34  - "Content analysis"
35  - "Sender analysis"
36  - "URL analysis"
37id: "3825232d-be75-5ad1-ba7f-a3ec97d23960"