Free subdomain link with login or captcha (first-time sender)

 1name: "Free subdomain link with login or captcha (first-time sender)"
 2description: |
 3    Message contains a link that uses a free subdomain provider, and has a login or captcha on the page.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any(body.links,
 9
10          // contains login or captcha
11          (
12            beta.linkanalysis(.).credphish.contains_login
13            or beta.linkanalysis(.).credphish.contains_captcha
14          )
15
16          // either the original or the redirect is a free subdomain
17          and (
18            beta.linkanalysis(.).effective_url.domain.root_domain in $free_subdomain_hosts
19            or .href_url.domain.root_domain in $free_subdomain_hosts
20          )
21
22          // exclude FP prone free subdomain hosts
23          // if it's a known brand impersonation, we'll detect it in other rules
24          and .href_url.domain.root_domain not in ("zendesk.com")
25          and beta.linkanalysis(.).effective_url.domain.root_domain not in ("zendesk.com")
26          and beta.linkanalysis(.).effective_url.domain.domain not in ("login.squarespace.com")
27  )
28
29  // exclude FP prone senders
30  and sender.email.domain.root_domain not in ("sharepointonline.com")
31
32  // first-time sender
33  and (
34    (
35      sender.email.domain.root_domain in $free_email_providers
36      and sender.email.email not in $sender_emails
37    )
38    or (
39      sender.email.domain.root_domain not in $free_email_providers
40      and sender.email.domain.domain not in $sender_domains
41    )
42  )  
43attack_types:
44  - "Credential Phishing"
45tactics_and_techniques:
46  - "Free subdomain host"
47  - "Social engineering"
48detection_methods:
49  - "Computer Vision"
50  - "File analysis"
51  - "Sender analysis"
52  - "URL screenshot"
53id: "93288f82-fbd2-5e88-b207-7f06386495a6"