Link: Self-sent message with quarterly document review request
Detects messages sent from a user to themselves containing a link with quarterly indicators (q1_, q2_, q3_, q4_) and specific document review language requesting urgent feedback.
Sublime rule (View on GitHub)
1name: "Link: Self-sent message with quarterly document review request"
2description: "Detects messages sent from a user to themselves containing a link with quarterly indicators (q1_, q2_, q3_, q4_) and specific document review language requesting urgent feedback."
3type: "rule"
4severity: "critical"
5source: |
6 type.inbound
7 // self sender
8 and length(recipients.to) == 1
9 and length(recipients.cc) == 0
10 and length(recipients.bcc) == 0
11 and (
12 sender.email.email == recipients.to[0].email.email
13 or recipients.to[0].email.domain.valid == false
14 )
15 // first link is not related to the sender via sld (to account for orgs that have multiple tlds)
16 and body.current_thread.links[0].href_url.domain.sld != sender.email.domain.sld
17 and regex.icontains(body.current_thread.links[0].display_text, 'q[1-4]_20')
18attack_types:
19 - "BEC/Fraud"
20 - "Credential Phishing"
21tactics_and_techniques:
22 - "Social engineering"
23 - "Evasion"
24detection_methods:
25 - "Content analysis"
26 - "Header analysis"
27 - "Sender analysis"
28 - "URL analysis"
29id: "3c42cec6-c887-5f68-8083-b1397f274f4b"