[Test Rules] [PR #4378] added rule: Link: Self-sent credential theft with single character path

Author: github-actions[bot]

detection-rules/4378_self_sender_cred_theft_short_path_link.yml

@@ -0,0 +1,36 @@
+name: "Link: Self-sent credential theft with single character path"
+description: "Detects messages sent to oneself containing links with single character paths and credential theft language, commonly used to bypass security filters and deliver malicious content."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  // self sender
+  and length(recipients.to) == 1
+  and (
+    sender.email.email == recipients.to[0].email.email
+    or recipients.to[0].email.domain.valid == false
+  )
+  // path contains 1 character
+  and any(body.current_thread.links,
+          regex.imatch(.href_url.path, '\/[A-Za-z0-9]')
+          and .href_url.query_params is null
+          and .href_url.fragment is null
+          and .display_url.url is null
+  )
+  and any(ml.nlu_classifier(body.current_thread.text).intents,
+          .name == "cred_theft" and .confidence != "low"
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Natural Language Understanding"
+  - "URL analysis"
+  - "Sender analysis"
+  - "Header analysis"
+id: "d47242e9-cf63-5dea-8aba-fcd6c2226b71"
+og_id: "c97982e6-eaa2-53e3-ba8f-0dc4db55b936"
+testing_pr: 4378
+testing_sha: 022a884f707b197a59c7d3bf6a9f4252ebf49082