Link: Recipient domain in URL path

name: "Link: Recipient domain in URL path"
description: "This rule detects URL paths which contain the recipient SLD multiple times. This has been observed in multiple credential phishing campaigns with MFA enrollment themed lures."
type: "rule"
severity: "high"
source: |
  type.inbound
  // 
  and not profile.by_sender().solicited
  // not high trust sender domains
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
  and 
  // any of the body links, contain the recipient domain repeating multiple times in a link path
  any(
      // make a list of distinct email slds
      distinct(map(recipients.to, .email.domain.sld)),
      // take the list of slds and cat it into a string of /sld/sld/ and search for it in links
      any(body.links,
          strings.icontains(.href_url.path, strings.concat("/", .., "/", .., "/"))
      )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Lookalike domain"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
  - "URL analysis"
id: "de08731f-5fce-56bc-91b3-53b40d99278e"