EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Link: Zoho form link from unsolicited sender

This detection rule matches on messages containing at least one link to forms.zohopublic.com from an unsolicited sender. Zoho provides a free plan enabling users to create custom websites and file hosting. This service has been abused by threat actors to host landing pages via forms directing victims to a next stage of credential phishing.

MITRE ATT&CK

T1566.003T1598

Detection Query

type.inbound
// filter links to zoho forms
and any(filter(body.links,
               // zoho forms link
               .href_url.domain.domain == 'forms.zohopublic.com'
               // remove a common FP for linking directly 
               and not strings.istarts_with(.href_url.path, '/quickbooking/')
        ),
        // remove FPs by checking there is only one link
        // ensure the link is within the current_thread
        (
          strings.contains(body.current_thread.text, .display_text)
          or strings.contains(body.current_thread.text, .href_url.url)
        )
        // and ensure that link only occurs once within body.html
        and (
          (
            body.html.raw is not null
            and (
              strings.count(body.html.raw, .display_text) == 1
              or strings.count(body.html.raw, .href_url.url) == 1
            )
          )
          or (
            // and ensure that link only occurs once within plaintext if html.raw is null
            body.plain.raw is not null
            and (
              strings.count(body.plain.raw, .display_text) == 1
              or strings.count(body.plain.raw, .href_url.url) == 1
            )
          )
        )
)

// dont match messages with lots of links or long bodies, often marketing messages
and length(body.links) < 20
and length(body.current_thread.text) < 900
// not solicited or from malicious/spam user with no FPs
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

// not from high trust sender root domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Link: Zoho form link from unsolicited sender"
description: "This detection rule matches on messages containing at least one link to forms.zohopublic.com from an unsolicited sender. Zoho provides a free plan enabling users to create custom websites and file hosting. This service has been abused by threat actors to host landing pages via forms directing victims to a next stage of credential phishing."
type: "rule"
severity: "medium"
source: |
  type.inbound
  // filter links to zoho forms
  and any(filter(body.links,
                 // zoho forms link
                 .href_url.domain.domain == 'forms.zohopublic.com'
                 // remove a common FP for linking directly 
                 and not strings.istarts_with(.href_url.path, '/quickbooking/')
          ),
          // remove FPs by checking there is only one link
          // ensure the link is within the current_thread
          (
            strings.contains(body.current_thread.text, .display_text)
            or strings.contains(body.current_thread.text, .href_url.url)
          )
          // and ensure that link only occurs once within body.html
          and (
            (
              body.html.raw is not null
              and (
                strings.count(body.html.raw, .display_text) == 1
                or strings.count(body.html.raw, .href_url.url) == 1
              )
            )
            or (
              // and ensure that link only occurs once within plaintext if html.raw is null
              body.plain.raw is not null
              and (
                strings.count(body.plain.raw, .display_text) == 1
                or strings.count(body.plain.raw, .href_url.url) == 1
              )
            )
          )
  )
  
  // dont match messages with lots of links or long bodies, often marketing messages
  and length(body.links) < 20
  and length(body.current_thread.text) < 900
  // not solicited or from malicious/spam user with no FPs
  and (
    not profile.by_sender().solicited
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
  
  // not from high trust sender root domains
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
attack_types:
  - "Callback Phishing"
tactics_and_techniques:
  - "Free file host"
detection_methods:
  - "Content analysis"
  - "URL analysis"
  - "Sender analysis"
id: "eb04a9f2-c40b-5fcc-97de-bee7111bc3d8"