Link: Multistage Landing - Ludus Presentation
Detects when a standalone Ludus document link contains embedded links that are suspicious, particularly those targeting Microsoft services through various evasion techniques. The rule analyzes both the presentation content and linked destinations for suspicious patterns and redirects.
Sublime rule (View on GitHub)
1name: "Link: Multistage Landing - Ludus Presentation"
2description: "Detects when a standalone Ludus document link contains embedded links that are suspicious, particularly those targeting Microsoft services through various evasion techniques. The rule analyzes both the presentation content and linked destinations for suspicious patterns and redirects."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // only one link to Ludus
8 and length(distinct(filter(body.links,
9 .href_url.domain.root_domain in ("ludus.one")
10 ),
11 .href_url.url
12 )
13 ) == 1
14 and any(body.links,
15 .href_url.domain.root_domain in ("ludus.one")
16 and (
17 any(ml.link_analysis(.).final_dom.links,
18 .href_url.domain.root_domain != "ludus.com"
19 // once we have additional responses, add # of slides == 1 logic
20 and (
21 .href_url.domain.tld in $suspicious_tlds
22 or .href_url.domain.domain in $free_subdomain_hosts
23 or .href_url.domain.root_domain in $free_subdomain_hosts
24 // observed pattern in credential theft URLs
25 or strings.ilike(.href_url.path,
26 "*o365*",
27 "*office365*",
28 "*microsoft*"
29 )
30 // observed pattern in credential theft URLs
31 or strings.ilike(.href_url.query_params,
32 "*o365*",
33 "*office365*",
34 "*microsoft*"
35 )
36 // observed pattern in credential theft URLs
37 or any(beta.scan_base64(.href_url.query_params),
38 strings.ilike(., "*o365*", "*office365*", "*microsoft*")
39 )
40 or ml.link_analysis(.href_url, mode="aggressive").credphish.disposition == "phishing"
41 or ml.link_analysis(.href_url, mode="aggressive").credphish.contains_captcha
42 or strings.icontains(ml.link_analysis(.href_url,
43 mode="aggressive"
44 ).final_dom.display_text,
45 "I'm Human"
46 )
47 // bails out to a well-known domain, seen in evasion attempts
48 or (
49 length(ml.link_analysis(.href_url, mode="aggressive").redirect_history
50 ) > 0
51 and ml.link_analysis(.href_url, mode="aggressive").effective_url.domain.root_domain in $tranco_10k
52 )
53 )
54 )
55 // credential theft language on the main Scribd page
56 or any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.,
57 mode="aggressive"
58 ).screenshot
59 ).text
60 ).intents,
61 .name == "cred_theft" and .confidence != "low"
62 )
63 )
64 )
65 // negate highly trusted sender domains unless they fail DMARC authentication
66 and (
67 (
68 sender.email.domain.root_domain in $high_trust_sender_root_domains
69 and not headers.auth_summary.dmarc.pass
70 )
71 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
72 )
73
74attack_types:
75 - "Credential Phishing"
76tactics_and_techniques:
77 - "Evasion"
78 - "Social engineering"
79 - "Impersonation: Brand"
80detection_methods:
81 - "Header analysis"
82 - "URL analysis"
83 - "Computer Vision"
84 - "URL screenshot"
85 - "Natural Language Understanding"
86 - "Optical Character Recognition"
87 - "Sender analysis"
88id: "a8b3c311-5cb8-513f-9b5e-7d8849f8fc41"