You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
description: "Detects messages containing Spanish tax document language that link to suspicious domains including URL shorteners, free file hosts, or newly registered domains."
3
+
type: "rule"
4
+
severity: "high"
5
+
source: |
6
+
type.inbound
7
+
and 0 < length(body.links) < 15
8
+
and length(recipients.to) == 1
9
+
and recipients.to[0].email.domain.valid
10
+
// spanish tax document phrases
11
+
and regex.icontains(body.current_thread.text,
12
+
'(?:Acessar Documento|Documento Fiscal|documento tributario|documento de impuestos|comprobante fiscal|constancia fiscal|declaración de impuestos|formulario fiscal|documentación fiscal|registro fiscal|certificado fiscal)'
13
+
)
14
+
// suspicious domains
15
+
and any(body.links,
16
+
.parser == 'hyperlink'
17
+
and (
18
+
.href_url.domain.domain in $url_shorteners
19
+
or .href_url.domain.root_domain in $url_shorteners
20
+
or .href_url.domain.domain in $free_file_hosts
21
+
or .href_url.domain.root_domain in $free_file_hosts
22
+
or .href_url.domain.domain in $free_subdomain_hosts
23
+
or .href_url.domain.root_domain in $free_subdomain_hosts
24
+
or .href_url.domain.domain in $self_service_creation_platform_domains
25
+
or .href_url.domain.root_domain in $self_service_creation_platform_domains
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments