EXPLORE
Sign In
← Back to Explore
sublimehighRule

Vendor compromise: GovDelivery message with suspicious link

Detects messages from GovDelivery that contain links to non-government domains, URL shorteners, newly registered domains, or domains with suspicious redirects. GovDelivery is a digital communications system that lets government agencies send updates via email, text, and social media. We have observed compromised American municipal and county GovDelivery delivering phishing emails.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1204.002T1486T1036T1027T1598.003
initial-accessdefense-evasion

Detection Query

type.inbound
and (
  sender.email.domain.domain == "public.govdelivery.com"
  or any(headers.domains, .root_domain == "govdelivery.com")
)
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
and length(body.links) < 10
and any(body.links,
        any(filter(regex.extract(.href_url.path, '/CL0/(?P<url>.*?)/1/'),
                   strings.parse_url(.named_groups["url"]).domain.root_domain not in (
                     "google.com",
                     "govdelivery.com",
                     "granicus.com",
                     "legistar1.com" // domain owned by granicus
                   )
                   and strings.parse_url(.named_groups["url"]).domain.tld not in (
                     "gov"
                   )
            ),
            // this is inside the filtered results to avoid flagging this condition on known link domains, as listed above
            strings.parse_url(.named_groups["url"]).domain.domain in $url_shorteners
            or strings.parse_url(.named_groups["url"]).domain.domain in $social_landing_hosts
            or strings.parse_url(.named_groups["url"]).domain.root_domain in $url_shorteners
            or strings.parse_url(.named_groups["url"]).domain.root_domain in $social_landing_hosts
            or strings.parse_url(.named_groups["url"]).domain.domain in $free_subdomain_hosts
            or strings.parse_url(.named_groups["url"]).domain.root_domain in $free_subdomain_hosts
            or network.whois(strings.parse_url(.named_groups["url"]).domain).days_old < 30
            or any(ml.link_analysis(strings.parse_url(.named_groups["url"])).redirect_history,
                   network.whois(.domain).days_old < 30
                   or strings.icontains(.domain.domain, "ipfs")
                   or regex.icontains(.query_params, '[\.-/]ipfs[\.-/]')
            )
            // page redirects to common website, observed when evasion happens
            or (
              length(ml.link_analysis(strings.parse_url(.named_groups["url"])).redirect_history
              ) > 1
              and ml.link_analysis(strings.parse_url(.named_groups["url"])).effective_url.domain.root_domain in $tranco_10k
            )
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Vendor compromise: GovDelivery message with suspicious link"
description: "Detects messages from GovDelivery that contain links to non-government domains, URL shorteners, newly registered domains, or domains with suspicious redirects. GovDelivery is a digital communications system that lets government agencies send updates via email, text, and social media. We have observed compromised American municipal and county GovDelivery delivering phishing emails."
type: "rule"
severity: "high"
source: |
  type.inbound
  and (
    sender.email.domain.domain == "public.govdelivery.com"
    or any(headers.domains, .root_domain == "govdelivery.com")
  )
  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
  and length(body.links) < 10
  and any(body.links,
          any(filter(regex.extract(.href_url.path, '/CL0/(?P<url>.*?)/1/'),
                     strings.parse_url(.named_groups["url"]).domain.root_domain not in (
                       "google.com",
                       "govdelivery.com",
                       "granicus.com",
                       "legistar1.com" // domain owned by granicus
                     )
                     and strings.parse_url(.named_groups["url"]).domain.tld not in (
                       "gov"
                     )
              ),
              // this is inside the filtered results to avoid flagging this condition on known link domains, as listed above
              strings.parse_url(.named_groups["url"]).domain.domain in $url_shorteners
              or strings.parse_url(.named_groups["url"]).domain.domain in $social_landing_hosts
              or strings.parse_url(.named_groups["url"]).domain.root_domain in $url_shorteners
              or strings.parse_url(.named_groups["url"]).domain.root_domain in $social_landing_hosts
              or strings.parse_url(.named_groups["url"]).domain.domain in $free_subdomain_hosts
              or strings.parse_url(.named_groups["url"]).domain.root_domain in $free_subdomain_hosts
              or network.whois(strings.parse_url(.named_groups["url"]).domain).days_old < 30
              or any(ml.link_analysis(strings.parse_url(.named_groups["url"])).redirect_history,
                     network.whois(.domain).days_old < 30
                     or strings.icontains(.domain.domain, "ipfs")
                     or regex.icontains(.query_params, '[\.-/]ipfs[\.-/]')
              )
              // page redirects to common website, observed when evasion happens
              or (
                length(ml.link_analysis(strings.parse_url(.named_groups["url"])).redirect_history
                ) > 1
                and ml.link_analysis(strings.parse_url(.named_groups["url"])).effective_url.domain.root_domain in $tranco_10k
              )
          )
  )
attack_types:
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Free subdomain host"
  - "IPFS"
  - "Social engineering"
  - "Evasion"
  - "Impersonation: Brand"
detection_methods:
  - "Natural Language Understanding"
  - "URL analysis"
  - "Whois"
id: "0d2d5172-de93-5452-872e-68db64b089ce"