Link: Tax document lure Portuguese/Spanish with suspicious domains

calendar Apr 14, 2026  ·
Share on: linkedin copy

Detects messages in Portuguese/Spanish containing tax document phrases that link to suspicious domains including URL shorteners, free file hosts, or newly registered domains.

Sublime rule (View on GitHub)

 1name: "Link: Tax document lure Portuguese/Spanish with suspicious domains"
 2description: "Detects messages in Portuguese/Spanish containing tax document phrases that link to suspicious domains including URL shorteners, free file hosts, or newly registered domains."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and 0 < length(body.links) < 15
 8  and length(recipients.to) == 1
 9  and recipients.to[0].email.domain.valid
10  and (
11    // portuguese tax document phrases
12    regex.icontains(body.current_thread.text,
13                    '(?:documento fiscal|documento tributário|documento de imposto|documento de impostos|formulário fiscal|declaração de imposto|declaração de impostos|declaração fiscal|documentação fiscal|comprovante fiscal|certidão fiscal|certificado fiscal|registro fiscal|comprovativo fiscal)'
14    )
15    // spanish tax document phrases
16    or regex.icontains(body.current_thread.text,
17                       '(?:Acessar Documento|Documento Fiscal|documento tributario|documento de impuestos|comprobante fiscal|constancia fiscal|declaración de impuestos|formulario fiscal|documentación fiscal|registro fiscal|certificado fiscal)'
18    )
19  )
20  
21  // suspicious domains
22  and any(body.links,
23          .parser == 'hyperlink'
24          and (
25            .href_url.domain.domain in $url_shorteners
26            or .href_url.domain.root_domain in $url_shorteners
27            or .href_url.domain.domain in $free_file_hosts
28            or .href_url.domain.root_domain in $free_file_hosts
29            or .href_url.domain.domain in $free_subdomain_hosts
30            or .href_url.domain.root_domain in $free_subdomain_hosts
31            or .href_url.domain.domain in $self_service_creation_platform_domains
32            or .href_url.domain.root_domain in $self_service_creation_platform_domains
33            or network.whois(.href_url.domain).days_old < 30
34          )
35          and not .href_url.domain.root_domain in ('sharepoint.com', 'box.com')
36  )
37  // subject fields
38  and regex.icontains(subject.base, '(?:nf|\b[0-9]{7,10}\b|nota fiscal)')
39  
40  // negate highly trusted sender domains unless they fail DMARC authentication
41  and not (
42    sender.email.domain.root_domain in $high_trust_sender_root_domains
43    and coalesce(headers.auth_summary.dmarc.pass, false)
44  )  
45attack_types:
46  - "BEC/Fraud"
47  - "Credential Phishing"
48  - "Malware/Ransomware"
49tactics_and_techniques:
50  - "Free file host"
51  - "Free subdomain host"
52  - "Social engineering"
53detection_methods:
54  - "Content analysis"
55  - "URL analysis"
56  - "Whois"
57id: "e132beb2-1112-5204-89d7-56cec0835b87"
to-top