Link: Recipient Domain in URL Path

calendar Jul 3, 2024  ·
Share on: linkedin copy

This rule detects URL paths which contain the recipient SLD multiple times. This has been observed in multiple credential phishing campaigns with MFA enrollment themed lures.

Sublime rule (View on GitHub)

 1name: "Link: Recipient Domain in URL Path"
 2description: "This rule detects URL paths which contain the recipient SLD multiple times. This has been observed in multiple credential phishing campaigns with MFA enrollment themed lures."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // 
 8  and not profile.by_sender().solicited
 9  // not high trust sender domains
10  and (
11    (
12      sender.email.domain.root_domain in $high_trust_sender_root_domains
13      and not headers.auth_summary.dmarc.pass
14    )
15    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
16  )
17  and
18  // any of the body links, contain the recipient domain repeating multiple times in a link path
19  any(
20      // make a list of distinct email slds
21      distinct(map(recipients.to, .email.domain.sld)), 
22      // take the list of slds and cat it into a string of /sld/sld/ and search for it in links
23      any(body.links, strings.icontains(.href_url.path, strings.concat("/", .., "/", .., "/")))
24  )
25    
26
27attack_types:
28  - "Credential Phishing"
29tactics_and_techniques:
30  - "Lookalike domain"
31detection_methods:
32  - "Header analysis"
33  - "Sender analysis"
34  - "URL analysis"
35id: "de08731f-5fce-56bc-91b3-53b40d99278e"
to-top