Link abuse: Self-service creation platform link with suspicious recipient behavior

 1name: "Link abuse: Self-service creation platform link with suspicious recipient behavior"
 2description: "Detects messages from new freemail senders containing links to self-service creation platforms with all-caps display text, combined with suspicious recipient patterns such as invalid recipients, self-sending, or unusual CC/BCC configurations."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // new freemail sender
 8  and profile.by_sender_email().prevalence == "new"
 9  and sender.email.domain.domain in $free_email_providers
10  // sus rcpt behavior
11  and (
12    // invalid rcpt
13    length(filter(recipients.to, .email.domain.valid)) == 0
14    // self sender
15    or (
16      length(recipients.to) == 1
17      and sender.email.email == recipients.to[0].email.email
18    )
19    // BCC is another freemail
20    or (
21      length(recipients.cc) == 1
22      and all(recipients.cc, .email.domain.domain in $free_email_providers)
23    )
24    // the recipient is another freemail with bcc
25    or (
26      length(recipients.to) == 1
27      and recipients.to[0].email.domain.domain in $free_email_providers
28      and length(recipients.bcc) > 0
29    )
30  )
31  // few body links
32  and length(body.current_thread.links) < 10
33  // the self_service_creation_platform contains a link with the display_text in all caps
34  and any(body.current_thread.links,
35          (
36            .href_url.domain.root_domain in $self_service_creation_platform_domains
37            or .href_url.domain.domain in $self_service_creation_platform_domains
38          )
39          and regex.match(.display_text, '[A-Z0-9_\-\s]+')
40  )  
41
42attack_types:
43  - "BEC/Fraud"
44  - "Credential Phishing"
45  - "Spam"
46tactics_and_techniques:
47  - "Free email provider"
48  - "Social engineering"
49detection_methods:
50  - "Header analysis"
51  - "Sender analysis"
52  - "URL analysis"
53id: "384ad135-a3c1-5d96-b864-2a6cd852406a"