Credential phishing: Engaging language with IPFS link

name: "Credential phishing: Engaging language with IPFS link"
description: |
  Body contains credential theft indicators, and contains a link to an IPFS site. IPFS has been recently observed hosting phishing sites.
type: "rule"
severity: "high"
source: |
  type.inbound
  and strings.ilike(body.html.display_text, "*expir*")
  and strings.ilike(body.html.display_text, "*password*")
  and any(ml.nlu_classifier(body.current_thread.text).intents,
          .name == "cred_theft"
  )
  and any(body.links,
          strings.icontains(ml.link_analysis(.).effective_url.url, 'ipfs')
          or (
            regex.icontains(ml.link_analysis(.).effective_url.path,
                            '[\.-/]ipfs|ipfs[\.-/]'
            )
            and ml.link_analysis(.).effective_url.domain.domain not in $org_domains
            and (
              (
                // don't include high rep domains
                ml.link_analysis(.).effective_url.domain.domain not in $tranco_1m
                and ml.link_analysis(.).effective_url.domain.domain not in $umbrella_1m
              )
              // if it's in Tranco or Umbrella, still include it if it's one of these
              or ml.link_analysis(.).effective_url.domain.domain in $free_file_hosts
              or ml.link_analysis(.).effective_url.domain.root_domain in $free_file_hosts
              or ml.link_analysis(.).effective_url.domain.root_domain in $free_subdomain_hosts
            )
          )
  )

attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Free file host"
  - "Free subdomain host"
  - "IPFS"
detection_methods:
  - "Content analysis"
  - "Natural Language Understanding"
  - "URL analysis"
id: "996c4d83-0a13-53e4-928c-6c08caeedab7"