Skip to content

Commit cf45d00

Browse files
[Shared Samples] [PR #4529] added rule: PR# 4529 - Self-sender with suspicious links (French/Français)
1 parent 0af1976 commit cf45d00

1 file changed

Lines changed: 38 additions & 0 deletions

File tree

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
name: "PR# 4529 - Self-sender with suspicious links (French/Français)"
2+
description: "Detects messages where the sender emails themselves with French text containing 'copier' (copy) and 'coller' (paste) instructions, along with suspicious domains like pages.dev or web.app. The subject line contains both the sender's email and display name, which are different values."
3+
type: "rule"
4+
severity: "medium"
5+
source: |
6+
type.inbound
7+
// message is in French
8+
and ml.nlu_classifier(body.current_thread.text).language == 'french'
9+
// self sender
10+
and (
11+
length(recipients.to) == 1
12+
and length(recipients.cc) == 0
13+
and sender.email.email in map(recipients.to, .email.email)
14+
)
15+
and strings.icontains(subject.subject, sender.email.email)
16+
and strings.icontains(subject.subject, sender.display_name)
17+
and sender.email.email != sender.display_name
18+
and (
19+
strings.contains(body.current_thread.text, '.pages.dev')
20+
or strings.contains(body.current_thread.text, '.web.app')
21+
)
22+
attack_types:
23+
- "Credential Phishing"
24+
tactics_and_techniques:
25+
- "Evasion"
26+
- "Free subdomain host"
27+
- "Social engineering"
28+
detection_methods:
29+
- "Content analysis"
30+
- "Header analysis"
31+
- "Sender analysis"
32+
id: "5c57092c-9449-57ca-9631-3daa572b85d8"
33+
tags:
34+
- created_from_open_prs
35+
- rule_status_modified
36+
- pr_author_peterdj45
37+
references:
38+
- https://github.com/sublime-security/sublime-rules/pull/4529

0 commit comments

Comments
 (0)