sublimemediumRule

Credential phishing: AWS Lambda URL with recipient targeting

Detects messages containing AWS Lambda URLs with the recipient's email address embedded in the fragment, indicating potential abuse of AWS Lambda services for targeted malicious activities.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598

initial-access

Detection Query

type.inbound
and recipients.to[0].email.domain.sld == sender.email.local_part
and any(body.links,
        strings.icontains(.href_url.domain.domain, "lambda-url")
        and strings.icontains(.href_url.fragment, recipients.to[0].email.email)
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Credential phishing: AWS Lambda URL with recipient targeting"
description: "Detects messages containing AWS Lambda URLs with the recipient's email address embedded in the fragment, indicating potential abuse of AWS Lambda services for targeted malicious activities."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and recipients.to[0].email.domain.sld == sender.email.local_part
  and any(body.links,
          strings.icontains(.href_url.domain.domain, "lambda-url")
          and strings.icontains(.href_url.fragment, recipients.to[0].email.email)
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Free subdomain host"
  - "Social engineering"
detection_methods:
  - "URL analysis"
  - "Content analysis"
id: "b5775c73-ca5f-5244-ac21-201332efd313"