← Back to Explore
sublimehighRule
Link: 9WOLF phishkit initial landing URI
Detects links containing the '?ai=xd' query parameter associated with 9wolf phishing service initial landing pages.
Detection Query
type.inbound
// known 9wolf initial landing uri struct
and any(body.links, strings.contains(.href_url.url, '?ai=xd'))
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: 9WOLF phishkit initial landing URI"
description: "Detects links containing the '?ai=xd' query parameter associated with 9wolf phishing service initial landing pages."
type: "rule"
severity: "high"
source: |
type.inbound
// known 9wolf initial landing uri struct
and any(body.links, strings.contains(.href_url.url, '?ai=xd'))
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "URL analysis"
- "Threat intelligence"
id: "a165e206-61b3-5b08-9408-2fe3c2bf0810"