EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Service abuse: Substack credential theft with confusable characters and branded button redirects

Detects messages from Substack that use confusable characters in the sender display name, contain purple buttons or typical button classes that redirect to non-Substack domains, and include credential theft content with urgency indicators.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027
initial-accessdefense-evasion

Detection Query

type.inbound
and sender.email.domain.root_domain == 'substack.com'
and 2 of (
  // substack-branded elements pointing to non-substack domains
  any(filter(html.xpath(body.html, '//a[@href]').nodes,
             // purple button or typical button classes
             (
               strings.icontains(.raw, 'background-color: #7c3aed')
               or strings.icontains(.raw, 'background-color:#7c3aed')
               or strings.icontains(.raw, 'class="button')
               or strings.icontains(.raw, 'bgcolor="#7c3aed"')
             )
      ),
      // rewrites to non-Substack domain
      any(.links, .href_url.domain.root_domain not in~ ('substack.com'))
  ),
  // sender name contains confusables
  sender.display_name != strings.replace_confusables(sender.display_name),
  // lots of urgency entities
  length(filter(ml.nlu_classifier(body.current_thread.text).entities,
                .name == "urgency"
         )
  ) >= 5,
  // excessive hidden character spam in HTML source
  any(html.xpath(body.html, '//*').nodes,
      (
        strings.count(.raw, '­') + strings.count(.raw, '͏')
 + strings.count(.raw, ' ')
      ) > 100
  )
)
// cred theft
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name == "cred_theft" and .confidence != "low"
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Service abuse: Substack credential theft with confusable characters and branded button redirects"
description: "Detects messages from Substack that use confusable characters in the sender display name, contain purple buttons or typical button classes that redirect to non-Substack domains, and include credential theft content with urgency indicators."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and sender.email.domain.root_domain == 'substack.com'
  and 2 of (
    // substack-branded elements pointing to non-substack domains
    any(filter(html.xpath(body.html, '//a[@href]').nodes,
               // purple button or typical button classes
               (
                 strings.icontains(.raw, 'background-color: #7c3aed')
                 or strings.icontains(.raw, 'background-color:#7c3aed')
                 or strings.icontains(.raw, 'class="button')
                 or strings.icontains(.raw, 'bgcolor="#7c3aed"')
               )
        ),
        // rewrites to non-Substack domain
        any(.links, .href_url.domain.root_domain not in~ ('substack.com'))
    ),
    // sender name contains confusables
    sender.display_name != strings.replace_confusables(sender.display_name),
    // lots of urgency entities
    length(filter(ml.nlu_classifier(body.current_thread.text).entities,
                  .name == "urgency"
           )
    ) >= 5,
    // excessive hidden character spam in HTML source
    any(html.xpath(body.html, '//*').nodes,
        (
          strings.count(.raw, '­') + strings.count(.raw, '͏')
   + strings.count(.raw, ' ')
        ) > 100
    )
  )
  // cred theft
  and (
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence != "low"
    )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Social engineering"
  - "Evasion"
detection_methods:
  - "Sender analysis"
  - "HTML analysis"
  - "Natural Language Understanding"
  - "URL analysis"
id: "45bf0daf-e576-57ed-92d6-b351d4ab74b6"