Service abuse: SurveyMonkey with suspicious outbound links

Detects messages sent from SurveyMonkey's user domain that contain links to non-SurveyMonkey domains within nested table elements, excluding survey-related content.

Sublime rule (View on GitHub)

 1name: "Service abuse: SurveyMonkey with suspicious outbound links"
 2description: "Detects messages sent from SurveyMonkey's user domain that contain links to non-SurveyMonkey domains within nested table elements, excluding survey-related content."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain == "surveymonkeyuser.com"
 8  and any(html.xpath(body.html, '//table//table//a').nodes,
 9          .links[0].href_url.domain.root_domain != "surveymonkey.com"
10          and not strings.icontains(.inner_text, "survey")
11          and not (
12            .links[0].href_url.domain.root_domain in (
13              "mimecast.com",
14              "mimecastprotect.com"
15            )
16            and any(.links[0].href_url.query_params_decoded['domain'],
17                    strings.parse_domain(.).domain in $tenant_domains
18                    or strings.parse_domain(.).domain in ("surveymonkey.com", )
19            )
20          )
21  )  
22attack_types:
23  - "Credential Phishing"
24tactics_and_techniques:
25  - "Social engineering"
26  - "Impersonation: Brand"
27detection_methods:
28  - "Content analysis"
29  - "HTML analysis"
30  - "Sender analysis"
31  - "URL analysis"
32id: "f183bd14-d8f0-5a69-9cce-9a9eee855bf7"
to-top