Link: Credential Phishing link with Undisclosed Recipients

calendar Apr 25, 2024  ยท
Share on: linkedin copy

This rule detects messages with "Undisclosed Recipients" that contain a link to a credential phishing page.

Sublime rule (View on GitHub)

 1name: "Link: Credential Phishing link with Undisclosed Recipients"
 2description: |
 3    This rule detects messages with "Undisclosed Recipients" that contain a link to a credential phishing page. 
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and (
 9    // No Recipients
10    length(recipients.to) == 0
11    or all(recipients.to, .display_name == "Undisclosed recipients")
12  )
13  and length(recipients.cc) == 0
14  and length(recipients.bcc) == 0
15  and any(body.links,
16          ml.link_analysis(.).credphish.disposition == "phishing"
17          and ml.link_analysis(.).credphish.confidence in ("medium", "high")
18  )
19  // negate highly trusted sender domains unless they fail DMARC authentication
20  and (
21    (
22      sender.email.domain.root_domain in $high_trust_sender_root_domains
23      and not headers.auth_summary.dmarc.pass
24    )
25    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
26  )
27  and not profile.by_sender().solicited
28  and not profile.by_sender().any_false_positives  
29
30attack_types:
31  - "Credential Phishing"
32tactics_and_techniques:
33  - "Evasion"
34detection_methods:
35  - "Computer Vision"
36  - "Header analysis"
37  - "URL screenshot"
38id: "06fc155e-f779-50a7-ad5f-3c3777fbf8f5"
to-top