Link: Unsolicited email contains link to page containing Tycoon URI structure

 1name: "Link: Unsolicited email contains link to page containing Tycoon URI structure"
 2description: "Detects links containing Tycoon phishing kit URI patterns with specific alphanumeric sequences separated by exclamation marks or at symbols from unsolicited senders."
 3type: "rule"
 4severity: "high"
 5source: |
 6    type.inbound
 7    and 0 < length(body.links) < 15
 8    and any(body.links,
 9            any(html.xpath(ml.link_analysis(.).final_dom, '//script//text()').nodes,
10                // full tycoon uri struct
11                any(.links,
12                    regex.icontains(.href_url.path,
13                                    '^\/[a-z0-9]{0,30}[!@][a-z0-9]{0,30}\/'
14                    )
15                    and not regex.icontains(.href_url.path, '\/[!@][a-z]{2,30}\/')
16                    and not strings.istarts_with(.href_url.domain.domain, 'www.')
17                    and not regex.icontains(.href_url.domain.root_domain,
18                                            '(?:fpjs\.io|(?:medium|unpkg|alicdn)\.com|turtl\.co)'
19                    )
20                )
21            )
22            // tycoon structured path and cloudflare captcha domain
23            or (
24              regex.icontains(.display_text,
25                              '\/[a-zA-Z0-9]{0,30}[!@][a-zA-Z0-9]{0,30}\/'
26              )
27              and strings.icontains(.display_text, 'challenges.cloudflare.com')
28            )
29    )    
30attack_types:
31  - "Credential Phishing"
32tactics_and_techniques:
33  - "Evasion"
34  - "Social engineering"
35detection_methods:
36  - "Sender analysis"
37  - "URL analysis"
38  - "URL screenshot"
39id: "531aa65a-fd5d-54f6-ac18-1019b12e4c6a"