← Back to Explore
sublimelowRule
Link: Invoice or receipt from freemail sender with customer service number
An email from a freemail sender which instructs the recipient to call a fraudulent customer service number.
Detection Query
type.inbound
and sender.email.domain.root_domain in $free_email_providers
and any(body.links,
.display_text == "Unsubscribe"
and (
length(.href_url.query_params) == 0 or .href_url.query_params is null
)
and (
.href_url.path == "/"
or .href_url.path is null
or (
.href_url.domain.root_domain == "google.com"
and not strings.ilike(.href_url.path, "*/forms/*")
)
)
)
and sender.email.email not in $sender_emails
Author
vector_sec
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Invoice or receipt from freemail sender with customer service number"
description: |
An email from a freemail sender which instructs the recipient to call a fraudulent customer service number.
type: "rule"
severity: "low"
authors:
- twitter: "vector_sec"
source: |
type.inbound
and sender.email.domain.root_domain in $free_email_providers
and any(body.links,
.display_text == "Unsubscribe"
and (
length(.href_url.query_params) == 0 or .href_url.query_params is null
)
and (
.href_url.path == "/"
or .href_url.path is null
or (
.href_url.domain.root_domain == "google.com"
and not strings.ilike(.href_url.path, "*/forms/*")
)
)
)
and sender.email.email not in $sender_emails
attack_types:
- "BEC/Fraud"
- "Callback Phishing"
tactics_and_techniques:
- "Free email provider"
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Sender analysis"
- "URL analysis"
id: "3825232d-be75-5ad1-ba7f-a3ec97d23960"