EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Service abuse: Formester with suspicious link behavior

Detects abuse of the Formester form service where links either redirect to credential phishing pages, contain suspicious top-level domains in the final DOM and/or redirect history, or display 'secure message' text indicating potential credential theft.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1534T1656
initial-access

Detection Query

type.inbound
// LA invokes page first before scanning additional links.
and (
  any(filter(body.links, .href_url.domain.root_domain == 'formester.com'),
      (
        ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
      )
      // any links in the final dom lead to a suspicious tld.
      or any(ml.link_analysis(.).final_dom.links,
             .href_url.domain.tld in $suspicious_tlds
             or ml.link_analysis(.href_url).effective_url.domain.tld in $suspicious_tlds
      )

      // link redirects to a suspicious TLD.
      or any(ml.link_analysis(., mode="aggressive").redirect_history,
             .domain.tld in $suspicious_tlds
      )
      // suspicious landing verbiage. Keywords can be expanded.
      or strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
                           "secure message"
      )
      // suspicious link verbiage.
      or regex.icontains(.display_text,
                         "(view|show|download).{0,20}(Doc(ument)?(s)?|files(s)?|attached)"
      )
  )
  // suspicious keywords/phrasing in body.
  or (
    any(body.links, .href_url.domain.root_domain == 'formester.com')
    and strings.icontains(body.current_thread.text,
                          "use of Microsoft 365 and may contain content"
    )
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Service abuse: Formester with suspicious link behavior"
description: "Detects abuse of the Formester form service where links either redirect to credential phishing pages, contain suspicious top-level domains in the final DOM and/or redirect history, or display 'secure message' text indicating potential credential theft."
type: "rule"
severity: "medium"
source: |
  type.inbound
  // LA invokes page first before scanning additional links.
  and (
    any(filter(body.links, .href_url.domain.root_domain == 'formester.com'),
        (
          ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
        )
        // any links in the final dom lead to a suspicious tld.
        or any(ml.link_analysis(.).final_dom.links,
               .href_url.domain.tld in $suspicious_tlds
               or ml.link_analysis(.href_url).effective_url.domain.tld in $suspicious_tlds
        )
  
        // link redirects to a suspicious TLD.
        or any(ml.link_analysis(., mode="aggressive").redirect_history,
               .domain.tld in $suspicious_tlds
        )
        // suspicious landing verbiage. Keywords can be expanded.
        or strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
                             "secure message"
        )
        // suspicious link verbiage.
        or regex.icontains(.display_text,
                           "(view|show|download).{0,20}(Doc(ument)?(s)?|files(s)?|attached)"
        )
    )
    // suspicious keywords/phrasing in body.
    or (
      any(body.links, .href_url.domain.root_domain == 'formester.com')
      and strings.icontains(body.current_thread.text,
                            "use of Microsoft 365 and may contain content"
      )
    )
  )

attack_types:
  - "Credential Phishing"
  - "BEC/Fraud"
tactics_and_techniques:
  - "Open redirect"
  - "Social engineering"
  - "Free file host"
detection_methods:
  - "Computer Vision"
  - "Content analysis"
  - "URL analysis"
  - "URL screenshot"
id: "e4b74fd4-b659-50c0-980c-74c8fb63aa32"