[Shared Samples] [PR #4498] added rule: PR# 4498 - Link: Generic financial document and suspicious hosting template

github-actions[bot] · github-actions[bot] · commit 4e6f3362426c · 2026-05-15T23:00:54.000Z
diff --git a/detection-rules/4498_link_financial_document_timeline_template.yml b/detection-rules/4498_link_financial_document_timeline_template.yml
@@ -0,0 +1,78 @@
+name: "PR# 4498 - Link: Generic financial document and suspicious hosting template"
+description: "Detects messages with generic 'dear sir/madam' greetings that reference payment releases & timelines, contain links with suspicious hosting or open redirects, and exhibit unusual recipient patterns such as self-sending or missing recipients."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  // standard generic greeting
+  and (
+    strings.istarts_with(body.current_thread.text, "dear sir/madam")
+    // expectation of time
+    and regex.icontains(body.current_thread.text,
+                        'will be released|\b[1-4].[1-4]\b.{1,10}days?'
+    )
+  )
+  // link is malicious
+  and any(body.links,
+          // key phrasing or nlu
+          (
+            regex.icontains(.display_text,
+                            '(?:access|view).{0,10}|payment|statement'
+            )
+            or any(ml.nlu_classifier(body.current_thread.text).topics,
+                   .name == "Request to View Invoice" and .confidence != "low"
+            )
+          )
+          // suspicious hosting
+          and (
+            .href_url.domain.root_domain in $free_file_hosts
+            or .href_url.domain.tld in $suspicious_tlds
+            or .href_url.domain.root_domain not in $tranco_1m
+            // open redirect
+            or strings.icontains(.href_url.query_params, '=https')
+          )
+          // negate org domains
+          and .href_url.domain.valid != false
+          and .href_url.domain.root_domain not in $org_domains
+  )
+  // suspicious sender behavior
+  and (
+    (
+      length(recipients.to) == 1
+      and length(recipients.cc) == 0
+      and sender.email.email == recipients.to[0].email.email
+    )
+    // no recipient
+    or (
+      (
+        length(recipients.to) == 0
+        and length(recipients.bcc) == 0
+        and length(recipients.cc) == 0
+      )
+      or any(recipients.to,
+             strings.ilike(.display_name, "undisclosed?recipients")
+      )
+    )
+  )
+
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Free file host"
+  - "Open redirect"
+  - "Social engineering"
+  - "Evasion"
+detection_methods:
+  - "Content analysis"
+  - "Natural Language Understanding"
+  - "URL analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "1a6e4ced-4391-597f-9184-d4d1c57dedc7"
+tags:
+  - created_from_open_prs
+  - rule_status_added
+  - pr_author_missingn0pe
+references:
+  - https://github.com/sublime-security/sublime-rules/pull/4498
