Create link_credential_phishing_cloud_service.yml (#4367)

Co-authored-by: CI Bot <hello@sublimesecurity.com>

Author: D-Bolton

detection-rules/link_credential_phishing_cloud_service.yml

@@ -0,0 +1,43 @@
+name: "Link: Cloud service with credential theft language"
+description: "Detects messages impersonating cloud services that contain high-confidence credential theft language and file sharing topics. The message starts with 'Cloud' or a cloud emoji, contains links to external domains not matching the sender's domain, and lacks recipient identification entities."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    strings.starts_with(body.current_thread.text, 'Cloud')
+    // cloud emoji
+    or regex.contains(body.current_thread.text, '^\x{2601}')
+  )
+  and any(ml.nlu_classifier(body.current_thread.text).intents,
+          .name == 'cred_theft' and .confidence == 'high'
+  )
+  and any(ml.nlu_classifier(body.current_thread.text).topics,
+          .name == 'File Sharing and Cloud Services' and .confidence == 'high'
+  )
+  // sender domain matches no body domains
+  and length(body.links) > 0
+  and all(body.links,
+          .href_url.domain.root_domain != sender.email.domain.root_domain
+  )
+  // negate legit cloud companies
+  and not (
+    sender.email.domain.root_domain in ("cloud-cme.com", "cloudcounting.online")
+    // check for SPF or DMARC passed
+    and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
+  )
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and not (
+    sender.email.domain.root_domain in $high_trust_sender_root_domains
+    and coalesce(headers.auth_summary.dmarc.pass, false)
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Natural Language Understanding"
+  - "Sender analysis"
+  - "URL analysis"
+id: "5f1395a6-e2ae-5175-ad29-5f35111219fd"