Link abuse: Self-service creation platform link with suspicious recipient behavior

name: "Link abuse: Self-service creation platform link with suspicious recipient behavior"
description: "Detects messages from new freemail senders containing links to self-service creation platforms with all-caps display text, combined with suspicious recipient patterns such as invalid recipients, self-sending, or unusual CC/BCC configurations."
type: "rule"
severity: "high"
source: |
  type.inbound
  // new freemail sender
  and profile.by_sender_email().prevalence == "new"
  and sender.email.domain.domain in $free_email_providers
  // sus rcpt behavior
  and (
    // invalid rcpt
    length(filter(recipients.to, .email.domain.valid)) == 0
    // self sender
    or (
      length(recipients.to) == 1
      and sender.email.email == recipients.to[0].email.email
    )
    // BCC is another freemail
    or (
      length(recipients.cc) == 1
      and all(recipients.cc, .email.domain.domain in $free_email_providers)
    )
    // the recipient is another freemail with bcc
    or (
      length(recipients.to) == 1
      and recipients.to[0].email.domain.domain in $free_email_providers
      and length(recipients.bcc) > 0
    )
  )
  // few body links
  and length(body.current_thread.links) < 10
  // the self_service_creation_platform contains a link with the display_text in all caps
  and any(body.current_thread.links,
          (
            .href_url.domain.root_domain in $self_service_creation_platform_domains
            or .href_url.domain.domain in $self_service_creation_platform_domains
          )
          and regex.match(.display_text, '[A-Z0-9_\-\s]+')
  )

attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
  - "Spam"
tactics_and_techniques:
  - "Free email provider"
  - "Social engineering"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
  - "URL analysis"
id: "384ad135-a3c1-5d96-b864-2a6cd852406a"