sublimehighRule

Link: Self-sender credential theft with configuration placeholder

Detects messages where the sender and recipient are the same address, containing credential theft language and links with configuration placeholder text indicating a phishing lure.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1036 T1027

initial-accessdefense-evasion

Detection Query

type.inbound
// self sender
and length(recipients.to) == 1
and sender.email.email == recipients.to[0].email.email
and any(body.current_thread.links,
        strings.contains(ml.link_analysis(., mode="aggressive").final_dom.raw,
                         '/*──── CONFIG: Replace with your lure URL ────*/'
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Link: Self-sender credential theft with configuration placeholder"
description: "Detects messages where the sender and recipient are the same address, containing credential theft language and links with configuration placeholder text indicating a phishing lure."
type: "rule"
severity: "high"
source: |
  type.inbound
  // self sender
  and length(recipients.to) == 1
  and sender.email.email == recipients.to[0].email.email
  and any(body.current_thread.links,
          strings.contains(ml.link_analysis(., mode="aggressive").final_dom.raw,
                           '/*──── CONFIG: Replace with your lure URL ────*/'
          )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Social engineering"
  - "Evasion"
detection_methods:
  - "Natural Language Understanding"
  - "Content analysis"
  - "URL analysis"
  - "Header analysis"
id: "dbf2ce70-9637-5c05-a98c-5af01c687d17"