Service abuse: SurveyMonkey with suspicious outbound links
Detects messages sent from SurveyMonkey's user domain that contain links to non-SurveyMonkey domains within nested table elements, excluding survey-related content.
Sublime rule (View on GitHub)
1name: "Service abuse: SurveyMonkey with suspicious outbound links"
2description: "Detects messages sent from SurveyMonkey's user domain that contain links to non-SurveyMonkey domains within nested table elements, excluding survey-related content."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and sender.email.domain.root_domain == "surveymonkeyuser.com"
8 and any(html.xpath(body.html, '//table//table//a').nodes,
9 .links[0].href_url.domain.root_domain != "surveymonkey.com"
10 and not strings.icontains(.inner_text, "survey")
11 and not (
12 .links[0].href_url.domain.root_domain in (
13 "mimecast.com",
14 "mimecastprotect.com"
15 )
16 and any(.links[0].href_url.query_params_decoded['domain'],
17 strings.parse_domain(.).domain in $tenant_domains
18 or strings.parse_domain(.).domain in ("surveymonkey.com", )
19 )
20 )
21 )
22attack_types:
23 - "Credential Phishing"
24tactics_and_techniques:
25 - "Social engineering"
26 - "Impersonation: Brand"
27detection_methods:
28 - "Content analysis"
29 - "HTML analysis"
30 - "Sender analysis"
31 - "URL analysis"
32id: "f183bd14-d8f0-5a69-9cce-9a9eee855bf7"