EXPLORE
Sign In
← Back to Explore
sublimehighRule

Credential phishing link (unknown sender)

Message contains a link to a credential phishing page from an unknown sender.

MITRE ATT&CK

T1566T1566.001T1566.002T1598
initial-access

Detection Query

type.inbound
and 0 < length(body.links) < 10
and any(body.links,
        ml.link_analysis(.).credphish.disposition == "phishing"
        and (
          ml.link_analysis(.).credphish.confidence in ("medium", "high")
          or ml.link_analysis(.).credphish.contains_captcha
        )
        and length(ml.link_analysis(.).final_dom.links) < 50
        // negate legitimate use of Google reCAPTCHA embedded badge
        and not (
          (
            ml.link_analysis(.).credphish.brand.name == "Captcha"
            or ml.link_analysis(.).credphish.contains_captcha
          )
          and length(html.xpath(ml.link_analysis(.).final_dom,
                                "//div[@class='grecaptcha-badge' and @data-style='bottomright']"
                     ).nodes
          ) == 1
        )
)
and (
  (
    not profile.by_sender().solicited
    and profile.by_sender().prevalence != "common"
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
// negate legit replies threads
and not (
  (
    strings.istarts_with(subject.subject, "RE:")
    // out of office auto-reply
    or strings.istarts_with(subject.subject, "Automatic reply:")
  )
  and (
    length(headers.references) > 0
    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
  )
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

// exclude bounce backs & read receipts
and not strings.like(sender.email.local_part,
                     "*postmaster*",
                     "*mailer-daemon*",
                     "*administrator*"
)
and not regex.icontains(subject.subject, "^(undeliverable|read:)")
and not any(attachments, .content_type == "message/delivery-status")
// if the "References" is in the body of the message, it's probably a bounce
and not any(headers.references, strings.contains(body.html.display_text, .))
and not profile.by_sender().any_messages_benign

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Credential phishing link (unknown sender)"
description: |
  Message contains a link to a credential phishing page from an unknown sender.
type: "rule"
severity: "high"
source: |
  type.inbound
  and 0 < length(body.links) < 10
  and any(body.links,
          ml.link_analysis(.).credphish.disposition == "phishing"
          and (
            ml.link_analysis(.).credphish.confidence in ("medium", "high")
            or ml.link_analysis(.).credphish.contains_captcha
          )
          and length(ml.link_analysis(.).final_dom.links) < 50
          // negate legitimate use of Google reCAPTCHA embedded badge
          and not (
            (
              ml.link_analysis(.).credphish.brand.name == "Captcha"
              or ml.link_analysis(.).credphish.contains_captcha
            )
            and length(html.xpath(ml.link_analysis(.).final_dom,
                                  "//div[@class='grecaptcha-badge' and @data-style='bottomright']"
                       ).nodes
            ) == 1
          )
  )
  and (
    (
      not profile.by_sender().solicited
      and profile.by_sender().prevalence != "common"
    )
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
  // negate legit replies threads
  and not (
    (
      strings.istarts_with(subject.subject, "RE:")
      // out of office auto-reply
      or strings.istarts_with(subject.subject, "Automatic reply:")
    )
    and (
      length(headers.references) > 0
      or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
    )
  )
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
  
  // exclude bounce backs & read receipts
  and not strings.like(sender.email.local_part,
                       "*postmaster*",
                       "*mailer-daemon*",
                       "*administrator*"
  )
  and not regex.icontains(subject.subject, "^(undeliverable|read:)")
  and not any(attachments, .content_type == "message/delivery-status")
  // if the "References" is in the body of the message, it's probably a bounce
  and not any(headers.references, strings.contains(body.html.display_text, .))
  and not profile.by_sender().any_messages_benign


attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Social engineering"
detection_methods:
  - "Computer Vision"
  - "Sender analysis"
  - "URL analysis"
  - "URL screenshot"
id: "a278012b-6c2b-5bca-b32c-f3663459bb1d"