EXPLORE
Sign In
← Back to Explore
sublimehighRule

Link: Mamba 2FA phishing kit

Detects links containing base64-encoded parameters characteristic of the Mamba 2FA phishing kit, specifically looking for 'sv=o365' and '&uid=USER' patterns in redirect history.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027
defense-evasioninitial-access

Detection Query

type.inbound
and length(body.links) < 10
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name == 'cred_theft' and .confidence == 'high'
  )
  or (
    length(recipients.to) == 1
    and any(recipients.to,
            strings.icontains(body.current_thread.text, .email.email)
    )
    and regex.icontains(body.current_thread.text,
                        '(invoice|document|docusign|past due|confirm receipt)'
    )
  )
  or (
    sender.email.domain.domain == 'icloud.com'
    and any(attachments, .file_name == 'invite.ics')
  )
)
and any(body.links,
        any(ml.link_analysis(., mode="aggressive").redirect_history,
            (
              // sv= in base64 as well as commonly observed tag
              regex.contains(.url, '(?:(?:/?|=)c3Y9|N0123N)')
              // &uid=USER base64 offsets
              and (
                strings.contains(.url, 'JnVpZD1VU0VS')
                or strings.contains(.url, 'Z1aWQ9VVNFU')
                or strings.contains(.url, 'mdWlkPVVTRV')
              )              
            )
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Link: Mamba 2FA phishing kit"
description: "Detects links containing base64-encoded parameters characteristic of the Mamba 2FA phishing kit, specifically looking for 'sv=o365' and '&uid=USER' patterns in redirect history."
type: "rule"
severity: "high"
source: |
  type.inbound
  and length(body.links) < 10
  and (
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == 'cred_theft' and .confidence == 'high'
    )
    or (
      length(recipients.to) == 1
      and any(recipients.to,
              strings.icontains(body.current_thread.text, .email.email)
      )
      and regex.icontains(body.current_thread.text,
                          '(invoice|document|docusign|past due|confirm receipt)'
      )
    )
    or (
      sender.email.domain.domain == 'icloud.com'
      and any(attachments, .file_name == 'invite.ics')
    )
  )
  and any(body.links,
          any(ml.link_analysis(., mode="aggressive").redirect_history,
              (
                // sv= in base64 as well as commonly observed tag
                regex.contains(.url, '(?:(?:/?|=)c3Y9|N0123N)')
                // &uid=USER base64 offsets
                and (
                  strings.contains(.url, 'JnVpZD1VU0VS')
                  or strings.contains(.url, 'Z1aWQ9VVNFU')
                  or strings.contains(.url, 'mdWlkPVVTRV')
                )              
              )
          )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Social engineering"
detection_methods:
  - "URL analysis"
id: "8d527c0f-9dc8-5d96-ac85-13f67147cc9c"