Link: Credential Phishing link with Undisclosed Recipients

This rule detects messages with "Undisclosed Recipients" that contain a link to a credential phishing page.

Sublime rule (View on GitHub)

 1name: "Link: Credential Phishing link with Undisclosed Recipients"
 2description: |
 3    This rule detects messages with "Undisclosed Recipients" that contain a link to a credential phishing page. 
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and (
 9    // No Recipients
10    length(recipients.to) == 0
11    or all(recipients.to, .display_name == "Undisclosed recipients")
12  )
13  and length(recipients.cc) == 0
14  and length(recipients.bcc) == 0
15  and any(body.links,
16          beta.linkanalysis(.).credphish.disposition == "phishing"
17          and beta.linkanalysis(.).credphish.confidence in ("medium", "high")
18  )
19  // negate highly trusted sender domains unless they fail DMARC authentication
20  and (
21    (
22      sender.email.domain.root_domain in $high_trust_sender_root_domains
23      and (
24        any(distinct(headers.hops, .authentication_results.dmarc is not null),
25            strings.ilike(.authentication_results.dmarc, "*fail")
26        )
27      )
28    )
29    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
30  )
31  and not profile.by_sender().solicited
32  and not profile.by_sender().any_false_positives  
33
34attack_types:
35  - "Credential Phishing"
36tactics_and_techniques:
37  - "Evasion"
38detection_methods:
39  - "Computer Vision"
40  - "Header analysis"
41  - "URL screenshot"
42id: "06fc155e-f779-50a7-ad5f-3c3777fbf8f5"
to-top