Link: Multistage Landing - Abused Buildin.ai

Analyzes shared content links from buildin.ai domain that contain credential harvesting language with medium to high confidence in the display text.

Sublime rule (View on GitHub)

 1name: "Link: Multistage Landing - Abused Buildin.ai"
 2description: "Analyzes shared content links from buildin.ai domain that contain credential harvesting language with medium to high confidence in the display text."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // filter to just buildin.ai
 9  and any(filter(body.links,
10                 (
11                   .href_url.domain.root_domain == "buildin.ai"
12                   and strings.icontains(.href_url.path, '/share')
13                 // inspect display text
14                 )
15          ),
16          any(ml.nlu_classifier(ml.link_analysis(., mode="aggressive").final_dom.display_text
17              ).intents,
18              .name == "cred_theft" and .confidence in ("medium", "high")
19          )
20  )  
21
22attack_types:
23  - "Credential Phishing"
24tactics_and_techniques:
25  - "Free file host"
26  - "Social engineering"
27detection_methods:
28  - "URL analysis"
29  - "Natural Language Understanding"
30id: "e0a79ef5-291e-5492-9449-c17d79f1cb23"
to-top