Link: Webflow Link from Unsolicited Sender

calendar Sep 16, 2024  ·
Share on: linkedin copy

This detection rule matches on messaging containing at least one link to webflow.io from an unsolicited sender. Webflow.io provides a free plan enabling users to create custom websites and file hosting. This services has been abused by threat actors to host landing pages directing victims to a next stage of credential phishing.

Sublime rule (View on GitHub)

 1name: "Link: Webflow Link from Unsolicited Sender"
 2description: "This detection rule matches on messaging containing at least one link to webflow.io from an unsolicited sender.  Webflow.io provides a free plan enabling users to create custom websites and file hosting.  This services has been abused by threat actors to host landing pages directing victims to a next stage of credential phishing."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          // webflow link
 9          .href_url.domain.root_domain == 'webflow.io'
10          and .href_url.domain.subdomain != ""
11          and .href_url.domain.subdomain != "www"
12          and .href_url.path == "/"
13  )
14  // not solicited or from malicious/spam user with no FPs
15  and (
16    not profile.by_sender().solicited
17    or (
18      profile.by_sender().any_messages_malicious_or_spam
19      and not profile.by_sender().any_false_positives
20    )
21  )
22  
23  // not from high trust sender root domains
24  and (
25    (
26      sender.email.domain.root_domain in $high_trust_sender_root_domains
27      and not headers.auth_summary.dmarc.pass
28    )
29    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
30  )  
31attack_types:
32  - "Callback Phishing"
33tactics_and_techniques:
34  - "Free file host"
35  - "Free subdomain host"
36detection_methods:
37  - "Content analysis"
38  - "URL analysis"
39  - "Sender analysis"
40id: "d4f3b8cf-6aa9-5e21-8307-8f4df248dded"
to-top