EXPLORE
Sign In
← Back to Explore
sublimehighRule

Link: Multistage landing - FreshDesk knowledge base abuse

Detects messages containing links to Freshdesk support solution pages that redirect to external domains with credential theft language, excluding legitimate Freshworks domains and organizational domains.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1598.003
initial-access

Detection Query

type.inbound
and length(body.links) < 10
and any(filter(body.links,
               .href_url.domain.root_domain == "freshdesk.com"
               and strings.icontains(.href_url.path, 'support/solutions')
        ),
        // link to unknown domain on the page
        length(filter(ml.link_analysis(.).final_dom.links,
                      .href_url.domain.root_domain not in ("freshworks.com")
                      and .href_url.domain.root_domain not in $org_domains
                      and .href_url.domain.root_domain != sender.email.domain.root_domain
               )
        ) < 3
        // cred theft language on the page
        and any(ml.nlu_classifier(ml.link_analysis(.).final_dom.display_text).intents,
                .name == "cred_theft" and .confidence != "low"
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Link: Multistage landing - FreshDesk knowledge base abuse"
description: "Detects messages containing links to Freshdesk support solution pages that redirect to external domains with credential theft language, excluding legitimate Freshworks domains and organizational domains."
type: "rule"
severity: "high"
source: |
  type.inbound
  and length(body.links) < 10
  and any(filter(body.links,
                 .href_url.domain.root_domain == "freshdesk.com"
                 and strings.icontains(.href_url.path, 'support/solutions')
          ),
          // link to unknown domain on the page
          length(filter(ml.link_analysis(.).final_dom.links,
                        .href_url.domain.root_domain not in ("freshworks.com")
                        and .href_url.domain.root_domain not in $org_domains
                        and .href_url.domain.root_domain != sender.email.domain.root_domain
                 )
          ) < 3
          // cred theft language on the page
          and any(ml.nlu_classifier(ml.link_analysis(.).final_dom.display_text).intents,
                  .name == "cred_theft" and .confidence != "low"
          )
  )

attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Open redirect"
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Natural Language Understanding"
  - "URL analysis"
  - "URL screenshot"
id: "edd6acf7-907f-5b06-aa2b-30ecc4982841"