Link: URL shortener with copy-paste instructions and credential theft language

name: "Link: URL shortener with copy-paste instructions and credential theft language"
description: "Detects messages containing only URL shorteners with copy-paste instructions and high-confidence credential theft language, typically used to evade URL analysis by requiring manual URL entry."
type: "rule"
severity: "low"
source: |
  type.inbound
  and length(body.current_thread.links) > 0
  and all(body.current_thread.links,
          .href_url.domain.root_domain in $url_shorteners
  )
  and (
    strings.icontains(body.current_thread.text, 'copy')
    and (
      strings.icontains(body.current_thread.text, 'pasting')
      or strings.icontains(body.current_thread.text, 'paste')
    )
  )
  and any(ml.nlu_classifier(body.current_thread.text).intents,
          .name == 'cred_theft' and .confidence == 'high'
  )
  and (
    // self sender
    (
      length(recipients.to) == 1
      and sender.email.email == recipients.to[0].email.email
    )
    // or the sender is all undisclosed or there is no recipients
    or (
      length(recipients.to) == 0
      or all(recipients.to, .email.domain.valid == false)
    )
  )
  // negate display urls that match the sender root domain
  and not any(body.current_thread.links,
              .display_url.domain.root_domain == sender.email.domain.root_domain
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Natural Language Understanding"
  - "URL analysis"
id: "a0a2c573-3686-590e-8715-fc4a32202c92"