Link: Referrer anonymization service from untrusted sender
Detects messages containing links that utilize a referrer anonymization service. The rule examines senders who are either not in a trusted domain list or have failed DMARC authentication despite being from a trusted domain.
Sublime rule (View on GitHub)
1name: "Link: Referrer anonymization service from untrusted sender"
2description: "Detects messages containing links that utilize a referrer anonymization service. The rule examines senders who are either not in a trusted domain list or have failed DMARC authentication despite being from a trusted domain."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(body.links,
8 // href.li
9 (
10 .href_url.domain.root_domain == "href.li"
11 and .href_url.query_params is not null
12 )
13 or "href_li" in .href_url.rewrite.encoders
14 // deref-mail
15 or (
16 (
17 (
18 strings.istarts_with(.href_url.path, '/mail/client/')
19 and strings.icontains(.href_url.query_params, 'redirectUrl=')
20 )
21 or "deref_mail" in .href_url.rewrite.encoders
22 )
23 // this seems to be a common behavior for gmx users
24 and not sender.email.domain.domain in ("gmx.de", "gmx.net")
25 and not (
26 sender.email.domain.domain == "mail.com"
27 and any(headers.domains, .root_domain == "mail.com")
28 )
29 // remove any links that include org domains
30 and not any($org_domains,
31 strings.icontains(..href_url.query_params, .)
32 )
33 // remove any links that are to common "signature" sites
34 // this does open up some FNs due to abuse of redirects of these sites
35 // if FNs are obsevered, we should tighten the logic of these to account
36 // for the redirect behavior
37 and not any(['facebook.com', 'x.com', 'twitter.com', 'instagram.com'],
38 strings.icontains(..href_url.query_params, .)
39 )
40
41 // remove links which contain the sender domain if the sender doesn't have any malicious messages
42 and not (
43 strings.icontains(.href_url.query_params,
44 sender.email.domain.root_domain
45 )
46 and not profile.by_sender_domain().any_messages_malicious_or_spam
47 )
48 )
49 )
50 // apply sender profile elements specific to the sender_email
51 and (
52 profile.by_sender_email().prevalence == "new"
53
54 // if they aren't new, there are some condition that still result in a match
55 or (
56 // and have been flagged previous
57 profile.by_sender_email().any_messages_malicious_or_spam
58 // without any false positives
59 and not profile.by_sender_email().any_messages_benign
60 )
61 )
62 // negate solicited senders
63 and not profile.by_sender_email().solicited
64 // negate highly trusted sender domains unless they fail DMARC authentication
65 and (
66 (
67 sender.email.domain.root_domain in $high_trust_sender_root_domains
68 and not headers.auth_summary.dmarc.pass
69 )
70 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
71 )
72attack_types:
73 - "Credential Phishing"
74tactics_and_techniques:
75 - "Open redirect"
76 - "Evasion"
77detection_methods:
78 - "Header analysis"
79 - "URL analysis"
80 - "Sender analysis"
81id: "9fab2e1e-96d2-504f-b3dd-8af12f0e553d"