Link: Suspicious single-domain link with suspicious path and financial lure indicators
Detects inbound messages containing a single unique root domain across all links, where at least one link follows a suspicious path pattern. Additionally, the message body contains HTML elements consistent with financial lure tactics, such as 'cash offer', 'confirm info', or 'view rates' styled with specific background colors indicative of a structured deceptive template.
Sublime rule (View on GitHub)
1name: "Link: Suspicious single-domain link with suspicious path and financial lure indicators"
2description: "Detects inbound messages containing a single unique root domain across all links, where at least one link follows a suspicious path pattern. Additionally, the message body contains HTML elements consistent with financial lure tactics, such as 'cash offer', 'confirm info', or 'view rates' styled with specific background colors indicative of a structured deceptive template."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(distinct(body.current_thread.links, .href_url.domain.root_domain)) == 1
8 and any(body.current_thread.links,
9 regex.contains(.href_url.path, '\/[a-z]\/[a-z0-9]{32}')
10 and length(.href_url.domain.subdomain) == 3
11 )
12 and (
13 any(html.xpath(body.html, '//a').nodes,
14 (
15 strings.icontains(.raw, "color:#4fb077")
16 and strings.icontains(.display_text, 'cash offer')
17 )
18 )
19 or (
20 any(body.current_thread.links,
21 strings.icontains(.display_text, 'confirm info', 'view rates')
22 )
23 and strings.icontains(body.html.raw, 'background-color: #007bc2')
24 )
25 )
26attack_types:
27 - "Spam"
28tactics_and_techniques:
29 - "Social engineering"
30detection_methods:
31 - "Content analysis"
32 - "HTML analysis"
33 - "URL analysis"
34id: "67a2606a-8577-551f-8f42-c3040937633d"