New link domain (<=10d) from untrusted sender

Detects links in the body of an email where the linked domain is less than 10 days old from untrusted senders.

Sublime rule (View on GitHub)

 1name: "New link domain (<=10d) from untrusted sender"
 2description: |
 3    Detects links in the body of an email where the linked domain is less than 10 days old from untrusted senders.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and length(body.links) > 0
 9  and any(body.links, network.whois(.href_url.domain).days_old <= 10)
10  and (
11    (
12      profile.by_sender().prevalence in ("new", "outlier")
13      and not profile.by_sender().solicited
14    )
15    or profile.by_sender().any_messages_malicious_or_spam
16  )
17  and not profile.by_sender().any_false_positives  
18tags:
19  - "Attack surface reduction"
20attack_types:
21  - "Credential Phishing"
22  - "Malware/Ransomware"
23detection_methods:
24  - "Sender analysis"
25  - "URL analysis"
26  - "Whois"
27id: "4805b0e6-6d35-512b-8053-87dd0edacc8a"

Related rules

to-top