[Test Rules] [PR #4388] added rule: Link: URL path containing /moni/index

Author: github-actions[bot]

detection-rules/4388_link_url_moni.yml

@@ -0,0 +1,25 @@
+name: "Link: URL path containing /moni/index"
+description: "Detects inbound messages containing links to '/moni/index.' paths, either directly in the URL path or within query parameters. This pattern has been observed in the wild leading to credential phishing"
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(body.current_thread.links,
+          (
+            regex.icontains(.href_url.path, '\/moni\/index\.')
+            or any(values(.href_url.query_params_decoded),
+                   any(., regex.icontains(., '\/moni\/index\.'))
+            )
+          )
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Open redirect"
+  - "Evasion"
+detection_methods:
+  - "URL analysis"
+id: "16e95f68-4d05-5d86-87ed-68d9ea024e6e"
+og_id: "9d8aa316-64c8-5d48-89be-06cc56eaa1f8"
+testing_pr: 4388
+testing_sha: d7ee9d8b23b932f33a0a5518606a238e05a6aa37