Suspicious recipient pattern and language with low reputation link to login
Message contains a suspicious recipient pattern, financial or urgent language, and a suspicious link, with a login page and confusable characters or multiple redirects.
Sublime rule (View on GitHub)
1name: "Suspicious recipient pattern and language with low reputation link to login"
2description: "Message contains a suspicious recipient pattern, financial or urgent language, and a suspicious link, with a login page and confusable characters or multiple redirects."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(body.links,
8 (
9 (
10 .href_url.domain.root_domain not in $tranco_1m
11 and .href_url.domain.valid
12 and .href_url.domain.root_domain not in $org_domains
13 and .href_url.domain.root_domain not in $high_trust_sender_root_domains
14 )
15 or .href_url.domain.tld in $suspicious_tlds
16 )
17 and (
18 ml.link_analysis(.).credphish.contains_login
19 and (
20 ml.link_analysis(.).final_dom.display_text != strings.replace_confusables(ml.link_analysis(.
21 ).final_dom.display_text
22 )
23 or length(ml.link_analysis(.).redirect_history) > 1
24 )
25 )
26 )
27 and any(ml.nlu_classifier(body.current_thread.text).entities,
28 .name in ("financial", "urgency")
29 )
30 and (
31 (
32 length(recipients.to) == 0
33 or length(recipients.bcc) > 0
34 or (
35 all(recipients.to, .email.domain.valid == false)
36 and all(recipients.cc, .email.domain.valid == false)
37 )
38 )
39 )
40 and all(body.links,
41 .href_url.domain.root_domain != sender.email.domain.root_domain
42 )
43
44attack_types:
45 - "Credential Phishing"
46tactics_and_techniques:
47 - "Social engineering"
48detection_methods:
49 - "Computer Vision"
50 - "Content analysis"
51 - "Header analysis"
52 - "Natural Language Understanding"
53 - "Optical Character Recognition"
54 - "Sender analysis"
55 - "URL analysis"
56 - "URL screenshot"
57id: "a8ea0402-98eb-5a93-9f63-c54504b060b9"