Link: MyActiveCampaign Link Abuse
Detects messages from myactivecampaign.com containing links and suspicious language that do not exclusively point to activehosted.com domains.
Sublime rule (View on GitHub)
1name: "Link: MyActiveCampaign Link Abuse"
2description: "Detects messages from myactivecampaign.com containing links and suspicious language that do not exclusively point to activehosted.com domains."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and 0 < length(body.links) < 10
8 and sender.email.domain.root_domain == "myactivecampaign.com"
9 and any(ml.nlu_classifier(body.current_thread.text).intents,
10 .name == "cred_theft" and .confidence == "high"
11 )
12 and not all(body.links, .href_url.domain.root_domain == "activehosted.com")
13tags:
14 - "Attack surface reduction"
15attack_types:
16 - "Credential Phishing"
17tactics_and_techniques:
18 - "Social engineering"
19detection_methods:
20 - "Natural Language Understanding"
21 - "URL analysis"
22 - "Sender analysis"
23id: "f5b91ce5-e239-5ae6-a417-9f0c5eeb47f1"