← Back to Explore
sublimemediumRule
Link: MyActiveCampaign Link Abuse
Detects messages from myactivecampaign.com containing links and suspicious language that do not exclusively point to activehosted.com domains.
Detection Query
type.inbound
and 0 < length(body.links) < 10
and sender.email.domain.root_domain == "myactivecampaign.com"
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
and not all(body.links, .href_url.domain.root_domain == "activehosted.com")
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Link: MyActiveCampaign Link Abuse"
description: "Detects messages from myactivecampaign.com containing links and suspicious language that do not exclusively point to activehosted.com domains."
type: "rule"
severity: "medium"
source: |
type.inbound
and 0 < length(body.links) < 10
and sender.email.domain.root_domain == "myactivecampaign.com"
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
and not all(body.links, .href_url.domain.root_domain == "activehosted.com")
tags:
- "Attack surface reduction"
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Social engineering"
detection_methods:
- "Natural Language Understanding"
- "URL analysis"
- "Sender analysis"
id: "f5b91ce5-e239-5ae6-a417-9f0c5eeb47f1"