EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Suspicious recipient pattern and language with low reputation link to login

Message contains a suspicious recipient pattern, financial or urgent language, and a suspicious link, with a login page and confusable characters or multiple redirects.

MITRE ATT&CK

T1566T1566.001T1566.002T1598
initial-access

Detection Query

type.inbound
and any(body.links,
        (
          (
            .href_url.domain.root_domain not in $tranco_1m
            and .href_url.domain.valid
            and .href_url.domain.root_domain not in $org_domains
            and .href_url.domain.root_domain not in $high_trust_sender_root_domains
          )
          or .href_url.domain.tld in $suspicious_tlds
        )
        and (
          ml.link_analysis(.).credphish.contains_login
          and (
            ml.link_analysis(.).final_dom.display_text != strings.replace_confusables(ml.link_analysis(.
                                                                                      ).final_dom.display_text
            )
            or length(ml.link_analysis(.).redirect_history) > 1
          )
        )
)
and any(ml.nlu_classifier(body.current_thread.text).entities,
        .name in ("financial", "urgency")
)
and (
  (
    length(recipients.to) == 0
    or length(recipients.bcc) > 0
    or (
      all(recipients.to, .email.domain.valid == false)
      and all(recipients.cc, .email.domain.valid == false)
    )
  )
)
and all(body.links,
        .href_url.domain.root_domain != sender.email.domain.root_domain
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Suspicious recipient pattern and language with low reputation link to login"
description: "Message contains a suspicious recipient pattern, financial or urgent language, and a suspicious link, with a login page and confusable characters or multiple redirects."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(body.links,
          (
            (
              .href_url.domain.root_domain not in $tranco_1m
              and .href_url.domain.valid
              and .href_url.domain.root_domain not in $org_domains
              and .href_url.domain.root_domain not in $high_trust_sender_root_domains
            )
            or .href_url.domain.tld in $suspicious_tlds
          )
          and (
            ml.link_analysis(.).credphish.contains_login
            and (
              ml.link_analysis(.).final_dom.display_text != strings.replace_confusables(ml.link_analysis(.
                                                                                        ).final_dom.display_text
              )
              or length(ml.link_analysis(.).redirect_history) > 1
            )
          )
  )
  and any(ml.nlu_classifier(body.current_thread.text).entities,
          .name in ("financial", "urgency")
  )
  and (
    (
      length(recipients.to) == 0
      or length(recipients.bcc) > 0
      or (
        all(recipients.to, .email.domain.valid == false)
        and all(recipients.cc, .email.domain.valid == false)
      )
    )
  )
  and all(body.links,
          .href_url.domain.root_domain != sender.email.domain.root_domain
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Social engineering"
detection_methods:
  - "Computer Vision"
  - "Content analysis"
  - "Header analysis"
  - "Natural Language Understanding"
  - "Optical Character Recognition"
  - "Sender analysis"
  - "URL analysis"
  - "URL screenshot"
id: "a8ea0402-98eb-5a93-9f63-c54504b060b9"