EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Link: Hotel booking spoofed display URL

Detects messages containing links with hotel-related display URLs that either redirect to different domains or contain suspicious parameters commonly used in booking scams and fraudulent hotel reservation schemes.

MITRE ATT&CK

T1566.002T1534T1656T1566T1566.001T1598T1036T1027
defense-evasioninitial-access

Detection Query

type.inbound
and any(body.links,
        strings.icontains(.display_url.url, 'booking.com')
        and not strings.icontains(.href_url.url,
                                  .display_url.domain.root_domain
        )
        and .display_url.domain.root_domain != .href_url.domain.root_domain
        and (
          regex.icontains(.display_url.url,
                          '(?:aid=\d{6}|label=gen\d+nr|review-bad|\b\w+\.html|expirince|hoteladmin|feedback)'
          )
          or .href_url.domain.root_domain == "share.google"
          or any(body.links, network.whois(.href_url.domain).days_old < 30)
        )
        and .mismatched
)
and not strings.icontains(body.current_thread.text,
                          "unsubscribe from this list"
)
and not (
  sender.email.domain.root_domain == "booking.com"
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Link: Hotel booking spoofed display URL"
description: "Detects messages containing links with hotel-related display URLs that either redirect to different domains or contain suspicious parameters commonly used in booking scams and fraudulent hotel reservation schemes."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(body.links,
          strings.icontains(.display_url.url, 'booking.com')
          and not strings.icontains(.href_url.url,
                                    .display_url.domain.root_domain
          )
          and .display_url.domain.root_domain != .href_url.domain.root_domain
          and (
            regex.icontains(.display_url.url,
                            '(?:aid=\d{6}|label=gen\d+nr|review-bad|\b\w+\.html|expirince|hoteladmin|feedback)'
            )
            or .href_url.domain.root_domain == "share.google"
            or any(body.links, network.whois(.href_url.domain).days_old < 30)
          )
          and .mismatched
  )
  and not strings.icontains(body.current_thread.text,
                            "unsubscribe from this list"
  )
  and not (
    sender.email.domain.root_domain == "booking.com"
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )
attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Social engineering"
detection_methods:
  - "URL analysis"
  - "Sender analysis"
id: "96deeec7-170e-5100-8422-5105344e21ca"