EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Link: Webflow link from unsolicited sender

This detection rule matches on messaging containing at least one link to webflow.io from an unsolicited sender. Webflow.io provides a free plan enabling users to create custom websites and file hosting. This services has been abused by threat actors to host landing pages directing victims to a next stage of credential phishing.

MITRE ATT&CK

T1566.003T1598

Detection Query

type.inbound
and any(body.links,
        // webflow link
        .href_url.domain.root_domain == 'webflow.io'
        and .href_url.domain.subdomain != ""
        and .href_url.domain.subdomain != "www"
        and .href_url.path == "/"
)
// not solicited or from malicious/spam user with no FPs
and (
  not profile.by_sender_email().solicited
  or (
    profile.by_sender_email().any_messages_malicious_or_spam
    and not profile.by_sender_email().any_messages_benign
  )
)

// not from high trust sender root domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Link: Webflow link from unsolicited sender"
description: "This detection rule matches on messaging containing at least one link to webflow.io from an unsolicited sender.  Webflow.io provides a free plan enabling users to create custom websites and file hosting.  This services has been abused by threat actors to host landing pages directing victims to a next stage of credential phishing."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(body.links,
          // webflow link
          .href_url.domain.root_domain == 'webflow.io'
          and .href_url.domain.subdomain != ""
          and .href_url.domain.subdomain != "www"
          and .href_url.path == "/"
  )
  // not solicited or from malicious/spam user with no FPs
  and (
    not profile.by_sender_email().solicited
    or (
      profile.by_sender_email().any_messages_malicious_or_spam
      and not profile.by_sender_email().any_messages_benign
    )
  )
  
  // not from high trust sender root domains
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
attack_types:
  - "Callback Phishing"
tactics_and_techniques:
  - "Free file host"
  - "Free subdomain host"
detection_methods:
  - "Content analysis"
  - "URL analysis"
  - "Sender analysis"
id: "d4f3b8cf-6aa9-5e21-8307-8f4df248dded"