From 457de0ea704dc9830c42d1a1aabaa5203f6c2965 Mon Sep 17 00:00:00 2001
From: Daniel Bolton <daniel@sublimesecurity.com>
Date: Mon, 15 Jun 2026 12:02:41 -0500
Subject: [PATCH 1/5] Create link_self_sender_ip_check.yml

---
 detection-rules/link_self_sender_ip_check.yml | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 detection-rules/link_self_sender_ip_check.yml

diff --git a/detection-rules/link_self_sender_ip_check.yml b/detection-rules/link_self_sender_ip_check.yml
new file mode 100644
index 00000000000..69574ecef35
--- /dev/null
+++ b/detection-rules/link_self_sender_ip_check.yml
@@ -0,0 +1,21 @@
+name: "Link: Self-sender with IP geolocation check"
+description: "Detects messages where the sender and recipient are the same address and the email contains a link that accesses ipinfo.io to gather IP geolocation information on the user."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  // self sender
+  and (
+    length(recipients.to) == 1
+    and recipients.to[0].email.email == sender.email.email
+  )
+  and any(body.current_thread.links, any(ml.link_analysis(.).unique_urls_accessed, .url == 'https://ipinfo.io/json'))
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Sender analysis"
+  - "URL analysis"

From f86b9f1a4e2e0baf9ed60eeee47f42733ed21f65 Mon Sep 17 00:00:00 2001
From: CI Bot <hello@sublimesecurity.com>
Date: Mon, 15 Jun 2026 17:05:00 +0000
Subject: [PATCH 2/5] Auto-format MQL and add rule IDs

---
 detection-rules/link_self_sender_ip_check.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/detection-rules/link_self_sender_ip_check.yml b/detection-rules/link_self_sender_ip_check.yml
index 69574ecef35..529d0946bde 100644
--- a/detection-rules/link_self_sender_ip_check.yml
+++ b/detection-rules/link_self_sender_ip_check.yml
@@ -9,8 +9,11 @@ source: |
     length(recipients.to) == 1
     and recipients.to[0].email.email == sender.email.email
   )
-  and any(body.current_thread.links, any(ml.link_analysis(.).unique_urls_accessed, .url == 'https://ipinfo.io/json'))
-
+  and any(body.current_thread.links,
+          any(ml.link_analysis(.).unique_urls_accessed,
+              .url == 'https://ipinfo.io/json'
+          )
+  )
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques:
@@ -19,3 +22,4 @@ tactics_and_techniques:
 detection_methods:
   - "Sender analysis"
   - "URL analysis"
+id: "fa708c3c-c40f-5b0d-b9c4-e9512fb32629"

From e875a253e2c0e5ea8ec245640149e36df61de4fe Mon Sep 17 00:00:00 2001
From: Daniel Bolton <daniel@sublimesecurity.com>
Date: Mon, 15 Jun 2026 13:07:15 -0500
Subject: [PATCH 3/5] negate links where the domain matches the sender domain

---
 detection-rules/link_self_sender_ip_check.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/detection-rules/link_self_sender_ip_check.yml b/detection-rules/link_self_sender_ip_check.yml
index 529d0946bde..78759dc98b8 100644
--- a/detection-rules/link_self_sender_ip_check.yml
+++ b/detection-rules/link_self_sender_ip_check.yml
@@ -10,8 +10,9 @@ source: |
     and recipients.to[0].email.email == sender.email.email
   )
   and any(body.current_thread.links,
-          any(ml.link_analysis(.).unique_urls_accessed,
-              .url == 'https://ipinfo.io/json'
+          .href_url.domain.root_domain != sender.email.domain.root_domain
+          and any(ml.link_analysis(.).unique_urls_accessed,
+                  .url == 'https://ipinfo.io/json'
           )
   )
 attack_types:

From 51c157d802b1f8c0a6c3a88f2015bac8ff2cf0bc Mon Sep 17 00:00:00 2001
From: Daniel Bolton <daniel@sublimesecurity.com>
Date: Wed, 17 Jun 2026 13:28:40 -0500
Subject: [PATCH 4/5] tighten the rule to avoid FPs

---
 detection-rules/link_self_sender_ip_check.yml | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/detection-rules/link_self_sender_ip_check.yml b/detection-rules/link_self_sender_ip_check.yml
index 78759dc98b8..0b319179a14 100644
--- a/detection-rules/link_self_sender_ip_check.yml
+++ b/detection-rules/link_self_sender_ip_check.yml
@@ -1,5 +1,5 @@
-name: "Link: Self-sender with IP geolocation check"
-description: "Detects messages where the sender and recipient are the same address and the email contains a link that accesses ipinfo.io to gather IP geolocation information on the user."
+name: "Link: Self-sender with IP geolocation check and suspicious link behavior"
+description: "Detects messages where the sender and recipient are the same address that access IP geolocation services (ipinfo.io) and exhibit suspicious behavior, such as randomization scripting or confirmed credential harvesting indicators."
 type: "rule"
 severity: "medium"
 source: |
@@ -14,6 +14,16 @@ source: |
           and any(ml.link_analysis(.).unique_urls_accessed,
                   .url == 'https://ipinfo.io/json'
           )
+          and (
+            strings.icontains(ml.link_analysis(.).final_dom.raw,
+                              'Math.floor',
+                              'Math.random'
+            )
+            or (
+              ml.link_analysis(.).credphish.disposition == "phishing"
+              and ml.link_analysis(.).credphish.confidence in ("medium", "high")
+            )
+          )
   )
 attack_types:
   - "Credential Phishing"

From 19fb593b9a2ce2d4f7f515db6b5c982539c430e7 Mon Sep 17 00:00:00 2001
From: Daniel Bolton <daniel@sublimesecurity.com>
Date: Fri, 26 Jun 2026 12:58:18 -0500
Subject: [PATCH 5/5] Update negation/gate for LA

---
 detection-rules/link_self_sender_ip_check.yml | 21 +++++++------------
 1 file changed, 7 insertions(+), 14 deletions(-)

diff --git a/detection-rules/link_self_sender_ip_check.yml b/detection-rules/link_self_sender_ip_check.yml
index 0b319179a14..396c9e40e88 100644
--- a/detection-rules/link_self_sender_ip_check.yml
+++ b/detection-rules/link_self_sender_ip_check.yml
@@ -9,22 +9,15 @@ source: |
     length(recipients.to) == 1
     and recipients.to[0].email.email == sender.email.email
   )
-  and any(body.current_thread.links,
-          .href_url.domain.root_domain != sender.email.domain.root_domain
-          and any(ml.link_analysis(.).unique_urls_accessed,
-                  .url == 'https://ipinfo.io/json'
-          )
-          and (
-            strings.icontains(ml.link_analysis(.).final_dom.raw,
-                              'Math.floor',
-                              'Math.random'
-            )
-            or (
-              ml.link_analysis(.).credphish.disposition == "phishing"
-              and ml.link_analysis(.).credphish.confidence in ("medium", "high")
-            )
+  and 0 < length(body.current_thread.links) < 10
+  and any(filter(body.current_thread.links,
+                 .href_url.domain.root_domain != sender.email.domain.root_domain
+          ),
+          any(ml.link_analysis(.).unique_urls_accessed,
+              .url == 'https://ipinfo.io/json'
           )
   )
+  and not headers.return_path.domain.root_domain == "salesforce.com"
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques: