← Back to Explore
sublimemediumRule
Link: /index.php enclosed in three asterisks
Detects messages containing a specific pattern of triple asterisks surrounding HTTP links that point to PHP index pages with query parameters, indicating potential malicious behavior. This specific pattern has been observed within messages leading to FakeAV/Tech Support scams.
Detection Query
type.inbound
and strings.count(body.current_thread.text, '* * *') == 2
and strings.contains(body.current_thread.text, ': http')
and strings.contains(body.current_thread.text, '/index.php?')
and regex.icontains(body.current_thread.text,
'\* \* \*(?:[^\r\n]+|[\r\n][^\r\n]*): https?:\/\/.*\/index\.php\?[a-z0-9]+(?:[^\r\n]+|[\r\n][^\r\n]*)\* \* \*'
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: /index.php enclosed in three asterisks"
description: "Detects messages containing a specific pattern of triple asterisks surrounding HTTP links that point to PHP index pages with query parameters, indicating potential malicious behavior. This specific pattern has been observed within messages leading to FakeAV/Tech Support scams."
type: "rule"
severity: "medium"
source: |
type.inbound
and strings.count(body.current_thread.text, '* * *') == 2
and strings.contains(body.current_thread.text, ': http')
and strings.contains(body.current_thread.text, '/index.php?')
and regex.icontains(body.current_thread.text,
'\* \* \*(?:[^\r\n]+|[\r\n][^\r\n]*): https?:\/\/.*\/index\.php\?[a-z0-9]+(?:[^\r\n]+|[\r\n][^\r\n]*)\* \* \*'
)
attack_types:
- "Malware/Ransomware"
- "Callback Phishing"
tactics_and_techniques:
- "Social engineering"
detection_methods:
- "Content analysis"
- "URL analysis"
id: "aa4bbafc-85ac-5e40-a467-e8fc745332be"