← Back to Explore
sublimemediumRule
Link: Multistage Landing - Abused Buildin.ai
Analyzes shared content links from buildin.ai domain that contain credential harvesting language with medium to high confidence in the display text.
Detection Query
type.inbound
// filter to just buildin.ai
and any(filter(body.links,
(
.href_url.domain.root_domain == "buildin.ai"
and strings.icontains(.href_url.path, '/share')
// inspect display text
)
),
any(ml.nlu_classifier(ml.link_analysis(., mode="aggressive").final_dom.display_text
).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Multistage Landing - Abused Buildin.ai"
description: "Analyzes shared content links from buildin.ai domain that contain credential harvesting language with medium to high confidence in the display text."
type: "rule"
severity: "medium"
source: |
type.inbound
// filter to just buildin.ai
and any(filter(body.links,
(
.href_url.domain.root_domain == "buildin.ai"
and strings.icontains(.href_url.path, '/share')
// inspect display text
)
),
any(ml.nlu_classifier(ml.link_analysis(., mode="aggressive").final_dom.display_text
).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Free file host"
- "Social engineering"
detection_methods:
- "URL analysis"
- "Natural Language Understanding"
id: "e0a79ef5-291e-5492-9449-c17d79f1cb23"