Skip to content

Commit a088f69

Browse files
[Shared Samples] [PR #4507] modified rule: PR# 4507 - Link: Self-sender credential theft with suspicious TLD
1 parent f970ded commit a088f69

1 file changed

Lines changed: 7 additions & 1 deletion

File tree

detection-rules/4507_link_self_sender_cred_theft_sus_tlds.yml

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,11 +9,17 @@ source: |
99
// auth passes
1010
and coalesce(headers.auth_summary.dmarc.pass, false)
1111
// link is suspicious tlds
12-
and any(body.links, .href_url.domain.tld in~ $suspicious_tlds)
12+
and any(body.links,
13+
.href_url.domain.tld in~ $suspicious_tlds
14+
// and sender.email.domain.tld == .href_url.domain.tld
15+
)
1316
// ML signals credential phishing
1417
and any(ml.nlu_classifier(body.current_thread.text).intents,
1518
.name == "cred_theft" and .confidence != "low"
1619
)
20+
// exclude json attachments from legit services
21+
// all will provide samples without attachments as well
22+
and all(attachments, .file_extension != "json")
1723
attack_types:
1824
- "Credential Phishing"
1925
tactics_and_techniques:

0 commit comments

Comments
 (0)