Link: Credential theft with invisible Unicode character in page title from unsolicited sender

name: "Link: Credential theft with invisible Unicode character in page title from unsolicited sender"
description: "Detects messages containing credential theft language and links to pages with invisible Unicode characters in the title tag, a technique commonly used to evade detection in fraudulent pages."
type: "rule"
severity: "high"
source: |
  type.inbound
  // single recipient
  and length(recipients.to) == 1
  // valid recipient domain
  and recipients.to[0].email.domain.valid
  // between 1 and 14 links in the email
  and 0 < length(body.links) < 15
  // length of current thread is under 11k
  and length(body.current_thread.text) < 11000
  // tycoon captchas often have a page title with a specific unicode invisible char
  and any(body.links,
          strings.contains(ml.link_analysis(., mode="aggressive").final_dom.raw,
                           "<title>\u{200B}</title>"
          )
          and length(ml.link_analysis(., mode="aggressive").final_dom.raw) < 10000
  )
  // unsolicited message
  and not profile.by_sender().solicited
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Social engineering"
detection_methods:
  - "Natural Language Understanding"
  - "Content analysis"
  - "HTML analysis"
  - "URL analysis"
  - "URL screenshot"
id: "5fe14d53-ef7f-5edb-a4a8-d2912382b564"