Link: MyActiveCampaign Link Abuse

Detects messages from myactivecampaign.com containing links and suspicious language that do not exclusively point to activehosted.com domains.

Sublime rule (View on GitHub)

 1name: "Link: MyActiveCampaign Link Abuse"
 2description: "Detects messages from myactivecampaign.com containing links and suspicious language that do not exclusively point to activehosted.com domains."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and 0 < length(body.links) < 10
 8  and sender.email.domain.root_domain == "myactivecampaign.com"
 9  and any(ml.nlu_classifier(body.current_thread.text).intents,
10          .name == "cred_theft" and .confidence == "high"
11  )
12  and not all(body.links, .href_url.domain.root_domain == "activehosted.com")  
13tags:
14 - "Attack surface reduction"
15attack_types:
16  - "Credential Phishing"
17tactics_and_techniques:
18  - "Social engineering"
19detection_methods:
20  - "Natural Language Understanding"
21  - "URL analysis"
22  - "Sender analysis"
23id: "f5b91ce5-e239-5ae6-a417-9f0c5eeb47f1"

Related rules

to-top