EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Link: Tax document lure Portuguese/Spanish with suspicious domains

Detects messages in Portuguese/Spanish containing tax document phrases that link to suspicious domains including URL shorteners, free file hosts, or newly registered domains.

MITRE ATT&CK

T1566.002T1534T1656T1566T1566.001T1598T1204.002T1486
initial-access

Detection Query

type.inbound
and 0 < length(body.links) < 15
and length(recipients.to) == 1
and recipients.to[0].email.domain.valid
and (
  // portuguese tax document phrases
  regex.icontains(body.current_thread.text,
                  '(?:documento fiscal|documento tributário|documento de imposto|documento de impostos|formulário fiscal|declaração de imposto|declaração de impostos|declaração fiscal|documentação fiscal|comprovante fiscal|certidão fiscal|certificado fiscal|registro fiscal|comprovativo fiscal)'
  )
  // spanish tax document phrases
  or regex.icontains(body.current_thread.text,
                     '(?:Acessar Documento|Documento Fiscal|documento tributario|documento de impuestos|comprobante fiscal|constancia fiscal|declaración de impuestos|formulario fiscal|documentación fiscal|registro fiscal|certificado fiscal)'
  )
)

// suspicious domains
and any(body.links,
        .parser == 'hyperlink'
        and (
          .href_url.domain.domain in $url_shorteners
          or .href_url.domain.root_domain in $url_shorteners
          or .href_url.domain.domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_file_hosts
          or .href_url.domain.domain in $free_subdomain_hosts
          or .href_url.domain.root_domain in $free_subdomain_hosts
          or .href_url.domain.domain in $self_service_creation_platform_domains
          or .href_url.domain.root_domain in $self_service_creation_platform_domains
          or network.whois(.href_url.domain).days_old < 30
        )
        and not .href_url.domain.root_domain in ('sharepoint.com', 'box.com')
)
// subject fields
and regex.icontains(subject.base, '(?:nf|\b[0-9]{7,10}\b|nota fiscal)')

// negate highly trusted sender domains unless they fail DMARC authentication
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Link: Tax document lure Portuguese/Spanish with suspicious domains"
description: "Detects messages in Portuguese/Spanish containing tax document phrases that link to suspicious domains including URL shorteners, free file hosts, or newly registered domains."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and 0 < length(body.links) < 15
  and length(recipients.to) == 1
  and recipients.to[0].email.domain.valid
  and (
    // portuguese tax document phrases
    regex.icontains(body.current_thread.text,
                    '(?:documento fiscal|documento tributário|documento de imposto|documento de impostos|formulário fiscal|declaração de imposto|declaração de impostos|declaração fiscal|documentação fiscal|comprovante fiscal|certidão fiscal|certificado fiscal|registro fiscal|comprovativo fiscal)'
    )
    // spanish tax document phrases
    or regex.icontains(body.current_thread.text,
                       '(?:Acessar Documento|Documento Fiscal|documento tributario|documento de impuestos|comprobante fiscal|constancia fiscal|declaración de impuestos|formulario fiscal|documentación fiscal|registro fiscal|certificado fiscal)'
    )
  )
  
  // suspicious domains
  and any(body.links,
          .parser == 'hyperlink'
          and (
            .href_url.domain.domain in $url_shorteners
            or .href_url.domain.root_domain in $url_shorteners
            or .href_url.domain.domain in $free_file_hosts
            or .href_url.domain.root_domain in $free_file_hosts
            or .href_url.domain.domain in $free_subdomain_hosts
            or .href_url.domain.root_domain in $free_subdomain_hosts
            or .href_url.domain.domain in $self_service_creation_platform_domains
            or .href_url.domain.root_domain in $self_service_creation_platform_domains
            or network.whois(.href_url.domain).days_old < 30
          )
          and not .href_url.domain.root_domain in ('sharepoint.com', 'box.com')
  )
  // subject fields
  and regex.icontains(subject.base, '(?:nf|\b[0-9]{7,10}\b|nota fiscal)')
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and not (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )
attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Free file host"
  - "Free subdomain host"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "URL analysis"
  - "Whois"
id: "e132beb2-1112-5204-89d7-56cec0835b87"