Free subdomain link with credential theft indicators

name: "Free subdomain link with credential theft indicators"
description: |
  Message contains a suspicious Recipients pattern, a link that uses a free subdomain provider, and has credential theft language on the linked page.
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(body.links,
          .href_url.domain.root_domain in $free_subdomain_hosts
          and .href_url.domain.subdomain is not null
          and .href_url.domain.subdomain != "www"
  )
  and (
    (
      (
        length(recipients.to) == 0
        or all(recipients.to, .display_name == "Undisclosed recipients")
      )
      and length(recipients.cc) == 0
      and length(recipients.bcc) == 0
    )
    or (
      length(recipients.to) == 1
      and any(recipients.to, .email.email == sender.email.email)
    )
    or (
      length(recipients.to) == 0
      and length(recipients.cc) == 0
      and length(recipients.bcc) > 0
    )
  )
  and any(body.links,
          any(file.explode(ml.link_analysis(.).screenshot),
              any(ml.nlu_classifier(.scan.ocr.raw).intents,
                  .name == "cred_theft" and .confidence != "low"
              )
          )
  )
tags:
  - "Attack surface reduction"
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Free subdomain host"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Natural Language Understanding"
  - "Optical Character Recognition"
  - "URL analysis"
  - "URL screenshot"
id: "9187479c-8941-5f28-88fe-0735fd2a86bc"