Link: Referrer anonymization service from untrusted sender

Detects messages containing links that utilize a referrer anonymization service. The rule examines senders who are either not in a trusted domain list or have failed DMARC authentication despite being from a trusted domain.

Sublime rule (View on GitHub)

 1name: "Link: Referrer anonymization service from untrusted sender"
 2description: "Detects messages containing links that utilize a referrer anonymization service. The rule examines senders who are either not in a trusted domain list or have failed DMARC authentication despite being from a trusted domain."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          // href.li
 9          (
10            .href_url.domain.root_domain == "href.li"
11            and .href_url.query_params is not null
12          )
13          or "href_li" in .href_url.rewrite.encoders
14          // deref-mail 
15          or (
16            (
17              (
18                strings.istarts_with(.href_url.path, '/mail/client/')
19                and strings.icontains(.href_url.query_params, 'redirectUrl=')
20              )
21              or "deref_mail" in .href_url.rewrite.encoders
22            )
23            // this seems to be a common behavior for gmx users
24            and not sender.email.domain.domain in ("gmx.de", "gmx.net")
25            and not (
26              sender.email.domain.domain == "mail.com"
27              and any(headers.domains, .root_domain == "mail.com")
28            )
29            // remove any links that include org domains
30            and not any($org_domains,
31                        strings.icontains(..href_url.query_params, .)
32            )
33            // remove any links that are to common "signature" sites
34            // this does open up some FNs due to abuse of redirects of these sites
35            // if FNs are obsevered, we should tighten the logic of these to account
36            // for the redirect behavior
37            and not any(['facebook.com', 'x.com', 'twitter.com', 'instagram.com'],
38                        strings.icontains(..href_url.query_params, .)
39            )
40  
41            // remove links which contain the sender domain if the sender doesn't have any malicious messages
42            and not (
43              strings.icontains(.href_url.query_params,
44                                sender.email.domain.root_domain
45              )
46              and not profile.by_sender_domain().any_messages_malicious_or_spam
47            )
48          )
49  )
50  // apply sender profile elements specific to the sender_email
51  and (
52    profile.by_sender_email().prevalence == "new"
53  
54    // if they aren't new, there are some condition that still result in a match
55    or (
56      // and have been flagged previous
57      profile.by_sender_email().any_messages_malicious_or_spam
58      // without any false positives
59      and not profile.by_sender_email().any_messages_benign
60    )
61  )
62  // negate solicited senders
63  and not profile.by_sender_email().solicited
64  // negate highly trusted sender domains unless they fail DMARC authentication
65  and (
66    (
67      sender.email.domain.root_domain in $high_trust_sender_root_domains
68      and not headers.auth_summary.dmarc.pass
69    )
70    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
71  )  
72attack_types:
73  - "Credential Phishing"
74tactics_and_techniques:
75  - "Open redirect"
76  - "Evasion"
77detection_methods:
78  - "Header analysis"
79  - "URL analysis"
80  - "Sender analysis"
81id: "9fab2e1e-96d2-504f-b3dd-8af12f0e553d"
to-top