← Back to Explore
sublimemediumRule
Link: Direct POWR.io Form Builder with suspicious patterns
Detects POWR.io forms with suspicious characteristics including unverified creators, cross-domain redirects, suspended accounts, or form owners from African time zones that don't match sender domains.
Detection Query
type.inbound
and (
(
any(filter(body.links,
(
(
.href_url.domain.root_domain == "powr.io"
and strings.icontains(.href_url.path, 'form-builder')
)
or (
(
strings.icontains(.href_url.query_params, 'powr.io')
or strings.icontains(.href_url.query_params, 'powr%2io')
or strings.icontains(.href_url.query_params, 'powr%252eio')
)
and strings.icontains(.href_url.query_params, 'form-builder')
)
)
),
// it's credphishing
ml.link_analysis(.).credphish.disposition == "phishing"
// these shouldn't show up here either
or ml.link_analysis(.).credphish.contains_login
or ml.link_analysis(.).credphish.contains_captcha
// there is a redirect, and that redirect goes to a different domain than the sender root domain
or any(regex.extract(ml.link_analysis(.).final_dom.raw,
'window\.CONTENT=(?P<content>[^\n]+)\;\n'
),
strings.parse_json(.named_groups["content"])["afterSubmission"] == "redirect"
and strings.parse_json(.named_groups["content"])["redirectLink"] != ""
and not strings.icontains(strings.parse_json(.named_groups["content"]
)["redirectLink"],
sender.email.domain.root_domain
)
)
// use the META data to inspect the "app_owner" data
or any(regex.extract(ml.link_analysis(.).final_dom.raw,
'window\.META=(?P<meta>[^\n]+)\;\n'
),
// the creator has been suspended or isn't active anymore
strings.parse_json(.named_groups["meta"])["app_owner"]["status"] == "suspended"
or strings.parse_json(.named_groups["meta"])["app_owner"]["active"] == false
// did not verify the email address
or strings.parse_json(.named_groups["meta"])["app_owner"]["has_verified_email?"] == false
// the app_owner originated from a timezone in Africa
or strings.starts_with(strings.parse_json(.named_groups["meta"])["app_owner"]["timezone"],
'Africa/'
)
// the creator domain doesn't match the sender root domain
or not strings.ends_with(strings.parse_json(.named_groups["meta"]
)["app_owner"]["email"],
sender.email.domain.root_domain
)
)
)
or any(attachments,
(.file_extension == "eml" or .content_type == "message/rfc822")
and any(filter(file.parse_eml(.).body.links,
(
(
.href_url.domain.root_domain == "powr.io"
and strings.icontains(.href_url.path,
'form-builder'
)
)
or (
(
strings.icontains(.href_url.query_params,
'powr.io'
)
or strings.icontains(.href_url.query_params,
'powr%2io'
)
or strings.icontains(.href_url.query_params,
'powr%252eio'
)
)
and strings.icontains(.href_url.query_params,
'form-builder'
)
)
)
),
// it's credphishing
ml.link_analysis(.).credphish.disposition == "phishing"
// these shouldn't show up here either
or ml.link_analysis(.).credphish.contains_login
or ml.link_analysis(.).credphish.contains_captcha
// there is a redirect, and that redirect goes to a different domain than the sender root domain
or any(regex.extract(ml.link_analysis(.).final_dom.raw,
'window\.CONTENT=(?P<content>[^\n]+)\;\n'
),
strings.parse_json(.named_groups["content"])["afterSubmission"] == "redirect"
and strings.parse_json(.named_groups["content"])["redirectLink"] != ""
and not strings.icontains(strings.parse_json(.named_groups["content"]
)["redirectLink"],
sender.email.domain.root_domain
)
)
// the creator has been suspended
or any(regex.extract(ml.link_analysis(.).final_dom.raw,
'window\.META=(?P<meta>[^\n]+)\;\n'
),
// the creator has been suspended or isn't active anymore
strings.parse_json(.named_groups["meta"])["app_owner"]["status"] == "suspended"
or strings.parse_json(.named_groups["meta"])["app_owner"]["active"] == false
// did not verify the email address
or strings.parse_json(.named_groups["meta"])["app_owner"]["has_verified_email?"] == false
// the app_owner originated from a timezone in Africa
or strings.starts_with(strings.parse_json(.named_groups["meta"]
)["app_owner"]["timezone"],
'Africa/'
)
// the creator domain doesn't match the sender root domain
or not strings.ends_with(strings.parse_json(.named_groups["meta"]
)["app_owner"]["email"],
sender.email.domain.root_domain
)
)
)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Direct POWR.io Form Builder with suspicious patterns"
description: "Detects POWR.io forms with suspicious characteristics including unverified creators, cross-domain redirects, suspended accounts, or form owners from African time zones that don't match sender domains."
type: "rule"
severity: "medium"
source: |
type.inbound
and (
(
any(filter(body.links,
(
(
.href_url.domain.root_domain == "powr.io"
and strings.icontains(.href_url.path, 'form-builder')
)
or (
(
strings.icontains(.href_url.query_params, 'powr.io')
or strings.icontains(.href_url.query_params, 'powr%2io')
or strings.icontains(.href_url.query_params, 'powr%252eio')
)
and strings.icontains(.href_url.query_params, 'form-builder')
)
)
),
// it's credphishing
ml.link_analysis(.).credphish.disposition == "phishing"
// these shouldn't show up here either
or ml.link_analysis(.).credphish.contains_login
or ml.link_analysis(.).credphish.contains_captcha
// there is a redirect, and that redirect goes to a different domain than the sender root domain
or any(regex.extract(ml.link_analysis(.).final_dom.raw,
'window\.CONTENT=(?P<content>[^\n]+)\;\n'
),
strings.parse_json(.named_groups["content"])["afterSubmission"] == "redirect"
and strings.parse_json(.named_groups["content"])["redirectLink"] != ""
and not strings.icontains(strings.parse_json(.named_groups["content"]
)["redirectLink"],
sender.email.domain.root_domain
)
)
// use the META data to inspect the "app_owner" data
or any(regex.extract(ml.link_analysis(.).final_dom.raw,
'window\.META=(?P<meta>[^\n]+)\;\n'
),
// the creator has been suspended or isn't active anymore
strings.parse_json(.named_groups["meta"])["app_owner"]["status"] == "suspended"
or strings.parse_json(.named_groups["meta"])["app_owner"]["active"] == false
// did not verify the email address
or strings.parse_json(.named_groups["meta"])["app_owner"]["has_verified_email?"] == false
// the app_owner originated from a timezone in Africa
or strings.starts_with(strings.parse_json(.named_groups["meta"])["app_owner"]["timezone"],
'Africa/'
)
// the creator domain doesn't match the sender root domain
or not strings.ends_with(strings.parse_json(.named_groups["meta"]
)["app_owner"]["email"],
sender.email.domain.root_domain
)
)
)
or any(attachments,
(.file_extension == "eml" or .content_type == "message/rfc822")
and any(filter(file.parse_eml(.).body.links,
(
(
.href_url.domain.root_domain == "powr.io"
and strings.icontains(.href_url.path,
'form-builder'
)
)
or (
(
strings.icontains(.href_url.query_params,
'powr.io'
)
or strings.icontains(.href_url.query_params,
'powr%2io'
)
or strings.icontains(.href_url.query_params,
'powr%252eio'
)
)
and strings.icontains(.href_url.query_params,
'form-builder'
)
)
)
),
// it's credphishing
ml.link_analysis(.).credphish.disposition == "phishing"
// these shouldn't show up here either
or ml.link_analysis(.).credphish.contains_login
or ml.link_analysis(.).credphish.contains_captcha
// there is a redirect, and that redirect goes to a different domain than the sender root domain
or any(regex.extract(ml.link_analysis(.).final_dom.raw,
'window\.CONTENT=(?P<content>[^\n]+)\;\n'
),
strings.parse_json(.named_groups["content"])["afterSubmission"] == "redirect"
and strings.parse_json(.named_groups["content"])["redirectLink"] != ""
and not strings.icontains(strings.parse_json(.named_groups["content"]
)["redirectLink"],
sender.email.domain.root_domain
)
)
// the creator has been suspended
or any(regex.extract(ml.link_analysis(.).final_dom.raw,
'window\.META=(?P<meta>[^\n]+)\;\n'
),
// the creator has been suspended or isn't active anymore
strings.parse_json(.named_groups["meta"])["app_owner"]["status"] == "suspended"
or strings.parse_json(.named_groups["meta"])["app_owner"]["active"] == false
// did not verify the email address
or strings.parse_json(.named_groups["meta"])["app_owner"]["has_verified_email?"] == false
// the app_owner originated from a timezone in Africa
or strings.starts_with(strings.parse_json(.named_groups["meta"]
)["app_owner"]["timezone"],
'Africa/'
)
// the creator domain doesn't match the sender root domain
or not strings.ends_with(strings.parse_json(.named_groups["meta"]
)["app_owner"]["email"],
sender.email.domain.root_domain
)
)
)
)
)
)
attack_types:
- "Credential Phishing"
- "Callback Phishing"
tactics_and_techniques:
- "Social engineering"
detection_methods:
- "File analysis"
- "URL analysis"
- "Content analysis"
id: "fd37cc93-eeeb-5091-bece-6dc7b0c78fe0"