Link: Direct POWR.io Form Builder with Suspicious Patterns
Detects POWR.io forms with suspicious characteristics including unverified creators, cross-domain redirects, suspended accounts, or form owners from African time zones that don't match sender domains.
Sublime rule (View on GitHub)
1name: "Link: Direct POWR.io Form Builder with Suspicious Patterns"
2description: "Detects POWR.io forms with suspicious characteristics including unverified creators, cross-domain redirects, suspended accounts, or form owners from African time zones that don't match sender domains."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 any(filter(body.links,
10 (
11 (
12 .href_url.domain.root_domain == "powr.io"
13 and strings.icontains(.href_url.path, 'form-builder')
14 )
15 or (
16 (
17 strings.icontains(.href_url.query_params, 'powr.io')
18 or strings.icontains(.href_url.query_params, 'powr%2io')
19 or strings.icontains(.href_url.query_params, 'powr%252eio')
20 )
21 and strings.icontains(.href_url.query_params, 'form-builder')
22 )
23 )
24 ),
25 // it's credphishing
26 ml.link_analysis(.).credphish.disposition == "phishing"
27 // these shouldn't show up here either
28 or ml.link_analysis(.).credphish.contains_login
29 or ml.link_analysis(.).credphish.contains_captcha
30 // there is a redirect, and that redirect goes to a different domain than the sender root domain
31 or any(regex.extract(ml.link_analysis(.).final_dom.raw,
32 'window\.CONTENT=(?P<content>[^\n]+)\;\n'
33 ),
34 strings.parse_json(.named_groups["content"])["afterSubmission"] == "redirect"
35 and strings.parse_json(.named_groups["content"])["redirectLink"] != ""
36 and not strings.icontains(strings.parse_json(.named_groups["content"]
37 )["redirectLink"],
38 sender.email.domain.root_domain
39 )
40 )
41 // use the META data to inspect the "app_owner" data
42 or any(regex.extract(ml.link_analysis(.).final_dom.raw,
43 'window\.META=(?P<meta>[^\n]+)\;\n'
44 ),
45 // the creator has been suspended or isn't active anymore
46 strings.parse_json(.named_groups["meta"])["app_owner"]["status"] == "suspended"
47 or strings.parse_json(.named_groups["meta"])["app_owner"]["active"] == false
48 // did not verify the email address
49 or strings.parse_json(.named_groups["meta"])["app_owner"]["has_verified_email?"] == false
50 // the app_owner originated from a timezone in Africa
51 or strings.starts_with(strings.parse_json(.named_groups["meta"])["app_owner"]["timezone"],
52 'Africa/'
53 )
54 // the creator domain doesn't match the sender root domain
55 or not strings.ends_with(strings.parse_json(.named_groups["meta"]
56 )["app_owner"]["email"],
57 sender.email.domain.root_domain
58 )
59 )
60 )
61 or any(attachments,
62 (.file_extension == "eml" or .content_type == "message/rfc822")
63 and any(filter(file.parse_eml(.).body.links,
64 (
65 (
66 .href_url.domain.root_domain == "powr.io"
67 and strings.icontains(.href_url.path,
68 'form-builder'
69 )
70 )
71 or (
72 (
73 strings.icontains(.href_url.query_params,
74 'powr.io'
75 )
76 or strings.icontains(.href_url.query_params,
77 'powr%2io'
78 )
79 or strings.icontains(.href_url.query_params,
80 'powr%252eio'
81 )
82 )
83 and strings.icontains(.href_url.query_params,
84 'form-builder'
85 )
86 )
87 )
88 ),
89 // it's credphishing
90 ml.link_analysis(.).credphish.disposition == "phishing"
91 // these shouldn't show up here either
92 or ml.link_analysis(.).credphish.contains_login
93 or ml.link_analysis(.).credphish.contains_captcha
94
95 // there is a redirect, and that redirect goes to a different domain than the sender root domain
96 or any(regex.extract(ml.link_analysis(.).final_dom.raw,
97 'window\.CONTENT=(?P<content>[^\n]+)\;\n'
98 ),
99 strings.parse_json(.named_groups["content"])["afterSubmission"] == "redirect"
100 and strings.parse_json(.named_groups["content"])["redirectLink"] != ""
101 and not strings.icontains(strings.parse_json(.named_groups["content"]
102 )["redirectLink"],
103 sender.email.domain.root_domain
104 )
105 )
106 // the creator has been suspended
107 or any(regex.extract(ml.link_analysis(.).final_dom.raw,
108 'window\.META=(?P<meta>[^\n]+)\;\n'
109 ),
110
111 // the creator has been suspended or isn't active anymore
112 strings.parse_json(.named_groups["meta"])["app_owner"]["status"] == "suspended"
113 or strings.parse_json(.named_groups["meta"])["app_owner"]["active"] == false
114 // did not verify the email address
115 or strings.parse_json(.named_groups["meta"])["app_owner"]["has_verified_email?"] == false
116 // the app_owner originated from a timezone in Africa
117 or strings.starts_with(strings.parse_json(.named_groups["meta"]
118 )["app_owner"]["timezone"],
119 'Africa/'
120 )
121 // the creator domain doesn't match the sender root domain
122 or not strings.ends_with(strings.parse_json(.named_groups["meta"]
123 )["app_owner"]["email"],
124 sender.email.domain.root_domain
125 )
126 )
127 )
128 )
129 )
130 )
131attack_types:
132 - "Credential Phishing"
133 - "Callback Phishing"
134tactics_and_techniques:
135 - "Social engineering"
136detection_methods:
137 - "File analysis"
138 - "URL analysis"
139 - "Content analysis"
140id: "fd37cc93-eeeb-5091-bece-6dc7b0c78fe0"