Link: Invoice or receipt from freemail sender with customer service number

 1name: "Link: Invoice or receipt from freemail sender with customer service number"
 2description: |
 3    An email from a freemail sender which instructs the recipient to call a fraudulent customer service number.
 4type: "rule"
 5severity: "low"
 6authors:
 7  - twitter: "vector_sec"
 8source: |
 9  type.inbound
10  and sender.email.domain.root_domain in $free_email_providers
11  and any(body.links,
12          .display_text == "Unsubscribe"
13          and (length(.href_url.query_params) == 0 or .href_url.query_params is null)
14          and (
15            .href_url.path == "/"
16            or .href_url.path is null
17            or (
18              .href_url.domain.root_domain == "google.com"
19              and not strings.ilike(.href_url.path, "*/forms/*")
20            )
21          )
22  )
23  // First time sender exclusions are in place to avoid legitimate messages from known freemail senders.
24  and sender.email.email not in $sender_emails  
25attack_types:
26  - "BEC/Fraud"
27  - "Callback Phishing"
28tactics_and_techniques:
29  - "Free email provider"
30  - "Impersonation: Brand"
31  - "Social engineering"
32detection_methods:
33  - "Content analysis"
34  - "Sender analysis"
35  - "URL analysis"
36id: "3825232d-be75-5ad1-ba7f-a3ec97d23960"