Skip to content

Commit 6905453

Browse files
[Shared Samples] [PR #4667] modified rule: PR# 4667 - Link: Self-sender with IP geolocation check and suspicious link behavior
1 parent 2fc7984 commit 6905453

1 file changed

Lines changed: 7 additions & 14 deletions

File tree

detection-rules/4667_link_self_sender_ip_check.yml

Lines changed: 7 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -9,22 +9,15 @@ source: |
99
length(recipients.to) == 1
1010
and recipients.to[0].email.email == sender.email.email
1111
)
12-
and any(body.current_thread.links,
13-
.href_url.domain.root_domain != sender.email.domain.root_domain
14-
and any(ml.link_analysis(.).unique_urls_accessed,
15-
.url == 'https://ipinfo.io/json'
16-
)
17-
and (
18-
strings.icontains(ml.link_analysis(.).final_dom.raw,
19-
'Math.floor',
20-
'Math.random'
21-
)
22-
or (
23-
ml.link_analysis(.).credphish.disposition == "phishing"
24-
and ml.link_analysis(.).credphish.confidence in ("medium", "high")
25-
)
12+
and 0 < length(body.current_thread.links) < 10
13+
and any(filter(body.current_thread.links,
14+
.href_url.domain.root_domain != sender.email.domain.root_domain
15+
),
16+
any(ml.link_analysis(.).unique_urls_accessed,
17+
.url == 'https://ipinfo.io/json'
2618
)
2719
)
20+
and not headers.return_path.domain.root_domain == "salesforce.com"
2821
attack_types:
2922
- "Credential Phishing"
3023
tactics_and_techniques:

0 commit comments

Comments
 (0)