Link: Multistage landing - FreshDesk knowledge base abuse
Detects messages containing links to Freshdesk support solution pages that redirect to external domains with credential theft language, excluding legitimate Freshworks domains and organizational domains.
Sublime rule (View on GitHub)
1name: "Link: Multistage landing - FreshDesk knowledge base abuse"
2description: "Detects messages containing links to Freshdesk support solution pages that redirect to external domains with credential theft language, excluding legitimate Freshworks domains and organizational domains."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(body.links) < 10
8 and any(filter(body.links,
9 .href_url.domain.root_domain == "freshdesk.com"
10 and strings.icontains(.href_url.path, 'support/solutions')
11 ),
12 // link to unknown domain on the page
13 length(filter(ml.link_analysis(.).final_dom.links,
14 .href_url.domain.root_domain not in ("freshworks.com")
15 and .href_url.domain.root_domain not in $org_domains
16 and .href_url.domain.root_domain != sender.email.domain.root_domain
17 )
18 ) < 3
19 // cred theft language on the page
20 and any(ml.nlu_classifier(ml.link_analysis(.).final_dom.display_text).intents,
21 .name == "cred_theft" and .confidence != "low"
22 )
23 )
24
25attack_types:
26 - "Credential Phishing"
27tactics_and_techniques:
28 - "Open redirect"
29 - "Impersonation: Brand"
30 - "Social engineering"
31detection_methods:
32 - "Content analysis"
33 - "Natural Language Understanding"
34 - "URL analysis"
35 - "URL screenshot"
36id: "edd6acf7-907f-5b06-aa2b-30ecc4982841"