sublimehighRule

Link: Unsolicited email contains link to page containing Tycoon URI structure

Detects links containing Tycoon phishing kit URI patterns with specific alphanumeric sequences separated by exclamation marks or at symbols from unsolicited senders.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1036 T1027

defense-evasioninitial-access

Detection Query

type.inbound
and 0 < length(body.links) < 15
and any(body.links,
        any(html.xpath(ml.link_analysis(.).final_dom, '//script//text()').nodes,
            // full tycoon uri struct
            any(.links,
                regex.icontains(.href_url.path,
                                '^\/[a-z0-9]{0,30}[!@][a-z0-9]{0,30}\/'
                )
                and not regex.icontains(.href_url.path, '\/[!@][a-z]{2,30}\/')
                and not strings.istarts_with(.href_url.domain.domain, 'www.')
                and not regex.icontains(.href_url.domain.root_domain,
                                        '(?:fpjs\.io|(?:medium|unpkg|alicdn)\.com|turtl\.co)'
                )
            )
        )
        // tycoon structured path and cloudflare captcha domain
        or (
          regex.icontains(.display_text,
                          '\/[a-zA-Z0-9]{0,30}[!@][a-zA-Z0-9]{0,30}\/'
          )
          and strings.icontains(.display_text, 'challenges.cloudflare.com')
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Link: Unsolicited email contains link to page containing Tycoon URI structure"
description: "Detects links containing Tycoon phishing kit URI patterns with specific alphanumeric sequences separated by exclamation marks or at symbols from unsolicited senders."
type: "rule"
severity: "high"
source: |
    type.inbound
    and 0 < length(body.links) < 15
    and any(body.links,
            any(html.xpath(ml.link_analysis(.).final_dom, '//script//text()').nodes,
                // full tycoon uri struct
                any(.links,
                    regex.icontains(.href_url.path,
                                    '^\/[a-z0-9]{0,30}[!@][a-z0-9]{0,30}\/'
                    )
                    and not regex.icontains(.href_url.path, '\/[!@][a-z]{2,30}\/')
                    and not strings.istarts_with(.href_url.domain.domain, 'www.')
                    and not regex.icontains(.href_url.domain.root_domain,
                                            '(?:fpjs\.io|(?:medium|unpkg|alicdn)\.com|turtl\.co)'
                    )
                )
            )
            // tycoon structured path and cloudflare captcha domain
            or (
              regex.icontains(.display_text,
                              '\/[a-zA-Z0-9]{0,30}[!@][a-zA-Z0-9]{0,30}\/'
              )
              and strings.icontains(.display_text, 'challenges.cloudflare.com')
            )
    )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Social engineering"
detection_methods:
  - "Sender analysis"
  - "URL analysis"
  - "URL screenshot"
id: "531aa65a-fd5d-54f6-ac18-1019b12e4c6a"