Link: Invoice or receipt from freemail sender with customer service number
An email from a freemail sender which instructs the recipient to call a fraudulent customer service number.
Sublime rule (View on GitHub)
1name: "Link: Invoice or receipt from freemail sender with customer service number"
2description: |
3 An email from a freemail sender which instructs the recipient to call a fraudulent customer service number.
4type: "rule"
5severity: "low"
6authors:
7 - twitter: "vector_sec"
8source: |
9 type.inbound
10 and sender.email.domain.root_domain in $free_email_providers
11 and any(body.links,
12 .display_text == "Unsubscribe"
13 and (length(.href_url.query_params) == 0 or .href_url.query_params is null)
14 and (
15 .href_url.path == "/"
16 or .href_url.path is null
17 or (
18 .href_url.domain.root_domain == "google.com"
19 and not strings.ilike(.href_url.path, "*/forms/*")
20 )
21 )
22 )
23 and sender.email.email not in $sender_emails
24attack_types:
25 - "BEC/Fraud"
26 - "Callback Phishing"
27tactics_and_techniques:
28 - "Free email provider"
29 - "Impersonation: Brand"
30 - "Social engineering"
31detection_methods:
32 - "Content analysis"
33 - "Sender analysis"
34 - "URL analysis"
35id: "3825232d-be75-5ad1-ba7f-a3ec97d23960"