Link: Credential Phishing traversing Russian infrastructure

calendar Jul 19, 2024  ·
Share on: linkedin copy

This rule detects credential phishing attempts in emails traversing Russian TLDs by aggressively analyzing links for signs of phishing, including suspicious keywords, login prompts, or links flagged for credential theft, excluding emails from trusted domains unless they fail DMARC verification.

Sublime rule (View on GitHub)

 1name: "Link: Credential Phishing traversing Russian infrastructure"
 2description: "This rule detects credential phishing attempts in emails traversing Russian TLDs by aggressively analyzing links for signs of phishing, including suspicious keywords, login prompts, or links flagged for credential theft, excluding emails from trusted domains unless they fail DMARC verification."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(headers.domains, .tld in ("ru", "su"))
 8  and any(ml.nlu_classifier(body.current_thread.text).intents,
 9          .name == "cred_theft" and .confidence in ("medium", "high")
10  )
11  and 0 < length(body.links) < 5
12  and any(body.links,
13          beta.linkanalysis(., mode="aggressive").credphish.disposition == "phishing"
14          or (
15            strings.icontains(beta.linkanalysis(., mode="aggressive").final_dom.raw,
16                              "Pàsswórd"
17            )
18            and (
19              beta.linkanalysis(., mode="aggressive").credphish.contains_login
20              or beta.linkanalysis(.).credphish.contains_captcha
21            )
22          )
23          or beta.linkanalysis(., mode="aggressive").effective_url.domain.tld in $suspicious_tlds
24  )
25  and (
26    not profile.by_sender().solicited
27    or profile.by_sender().any_messages_malicious_or_spam
28  )
29  
30  // negate highly trusted sender domains unless they fail DMARC authentication
31  and (
32    (
33      sender.email.domain.root_domain in $high_trust_sender_root_domains
34      and (
35        any(distinct(headers.hops, .authentication_results.dmarc is not null),
36            strings.ilike(.authentication_results.dmarc, "*fail")
37        )
38      )
39    )
40    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
41  )  
42
43attack_types:
44  - "Credential Phishing"
45tactics_and_techniques:
46  - "Social engineering"
47detection_methods:
48  - "Content analysis"
49  - "Header analysis"
50  - "Natural Language Understanding"
51  - "URL analysis"
52
53id: "a5203e3b-979f-5feb-bc6c-d62de08a2823"
to-top