Link: Multistage landing - FreshDesk knowledge base abuse

Aug 21, 2025 ·

Detects messages containing links to Freshdesk support solution pages that redirect to external domains with credential theft language, excluding legitimate Freshworks domains and organizational domains.

Sublime rule (View on GitHub)

 1name: "Link: Multistage landing - FreshDesk knowledge base abuse"
 2description: "Detects messages containing links to Freshdesk support solution pages that redirect to external domains with credential theft language, excluding legitimate Freshworks domains and organizational domains."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.links) < 10
 8  and any(filter(body.links,
 9                 .href_url.domain.root_domain == "freshdesk.com"
10                 and strings.icontains(.href_url.path, 'support/solutions')
11          ),
12          // link to unknown domain on the page
13          length(filter(ml.link_analysis(.).final_dom.links,
14                        .href_url.domain.root_domain not in ("freshworks.com")
15                        and .href_url.domain.root_domain not in $org_domains
16                        and .href_url.domain.root_domain != sender.email.domain.root_domain
17                 )
18          ) < 3
19          // cred theft language on the page
20          and any(ml.nlu_classifier(ml.link_analysis(.).final_dom.display_text).intents,
21                  .name == "cred_theft" and .confidence != "low"
22          )
23  )  
24
25attack_types:
26  - "Credential Phishing"
27tactics_and_techniques:
28  - "Open redirect"
29  - "Impersonation: Brand"
30  - "Social engineering"
31detection_methods:
32  - "Content analysis"
33  - "Natural Language Understanding"
34  - "URL analysis"
35  - "URL screenshot"
36id: "edd6acf7-907f-5b06-aa2b-30ecc4982841"