Spam: Firebase password reset from suspicious sender

 1name: "Spam: Firebase password reset from suspicious sender"
 2description: "Detects Firebase password reset messages from suspicious or new senders that may be attempting to abuse the Firebase authentication service."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain == "firebaseapp.com"
 8  and length(filter(body.links,
 9                    .href_url.domain.root_domain not in ("aka.ms")
10                    and .href_url.path is not null
11             )
12  ) == 1
13  and any(body.links,
14          .href_url.domain.domain == sender.email.domain.domain
15          and .href_url.path == "/__/auth/action"
16          and any(.href_url.query_params_decoded["mode"], . == "resetPassword")
17  )
18  and (
19    (
20      not profile.by_sender().solicited
21      and profile.by_sender().prevalence == "new"
22    )
23    or (
24      profile.by_sender().any_messages_malicious_or_spam
25      and not profile.by_sender().any_messages_benign
26    )
27    or not headers.auth_summary.dmarc.pass
28  )  
29tags:
30  - "Attack surface reduction"
31attack_types:
32  - "Credential Phishing"
33  - "Spam"
34tactics_and_techniques:
35  - "Evasion"
36  - "Social engineering"
37detection_methods:
38  - "Header analysis"
39  - "Sender analysis"
40  - "URL analysis"
41id: "a2f673a9-11e5-51c5-ab1e-f374a9662294"