Link: Spam website with evasion indicators

name: "Link: Spam website with evasion indicators"
description: "Detects messages containing links to spam websites that show signs of evasion techniques, including blocklisted IP provider messages or rate limiting responses when analyzed."
type: "rule"
severity: "low"
source: |
  type.inbound
  // single meaningful root domain in links
  and length(filter(distinct(body.links, .href_url.domain.root_domain),
                    // filter out unrelated domains
                    .href_url.domain.root_domain != sender.email.domain.root_domain
                    and any(recipients.to,
                            .email.domain.root_domain != ..href_url.domain.root_domain
                    )
                    and .href_url.domain.root_domain not in ("aka.ms")
             )
  ) == 1
  // specific spam website pattern
  and any(body.links,
          // did not redirect to any other domain
          ml.link_analysis(.).effective_url.domain.domain == .href_url.domain.domain
          and (
            // LinkAnalysis was "evaded"
            any(ml.link_analysis(.).effective_url.query_params_decoded["q"],
                strings.icontains(., "IP provider is blacklisted!")
            )
            // or we encountered the rate limiting
            or ml.link_analysis(.).final_dom.inner_text == "Too Many Requests!"
          )
  )

attack_types:
  - "Spam"
tactics_and_techniques:
  - "Evasion"
detection_methods:
  - "URL analysis"
  - "URL screenshot"
  - "Content analysis"
id: "08bcd353-a0a5-5718-8a6e-287320202dd3"