Link: Multistage Landing - Abused Buildin.ai
Analyzes shared content links from buildin.ai domain that contain credential harvesting language with medium to high confidence in the display text.
Sublime rule (View on GitHub)
1name: "Link: Multistage Landing - Abused Buildin.ai"
2description: "Analyzes shared content links from buildin.ai domain that contain credential harvesting language with medium to high confidence in the display text."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7
8 // filter to just buildin.ai
9 and any(filter(body.links,
10 (
11 .href_url.domain.root_domain == "buildin.ai"
12 and strings.icontains(.href_url.path, '/share')
13 // inspect display text
14 )
15 ),
16 any(ml.nlu_classifier(ml.link_analysis(., mode="aggressive").final_dom.display_text
17 ).intents,
18 .name == "cred_theft" and .confidence in ("medium", "high")
19 )
20 )
21
22attack_types:
23 - "Credential Phishing"
24tactics_and_techniques:
25 - "Free file host"
26 - "Social engineering"
27detection_methods:
28 - "URL analysis"
29 - "Natural Language Understanding"
30id: "e0a79ef5-291e-5492-9449-c17d79f1cb23"