• Sublime Core Feed
High Severity

Credential phishing: Engaging language with IPFS link

Labels

Credential Phishing
Free file host
Free subdomain host
IPFS
Content analysis
Natural Language Understanding
URL analysis

Description

Body contains credential theft indicators, and contains a link to an IPFS site. IPFS has been recently observed hosting phishing sites.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated May 3rd, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and strings.ilike(body.html.display_text, "*expir*")
and strings.ilike(body.html.display_text, "*password*")
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft"
)
and any(body.links,
        strings.icontains(ml.link_analysis(.).effective_url.url, 'ipfs')
        or (
          regex.icontains(ml.link_analysis(.).effective_url.path,
                          '[\.-/]ipfs|ipfs[\.-/]'
          )
          and ml.link_analysis(.).effective_url.domain.domain not in $org_domains
          and (
            (
              // don't include high rep domains
              ml.link_analysis(.).effective_url.domain.domain not in $tranco_1m
              and ml.link_analysis(.).effective_url.domain.domain not in $umbrella_1m
            )
            // if it's in Tranco or Umbrella, still include it if it's one of these
            or ml.link_analysis(.).effective_url.domain.domain in $free_file_hosts
            or ml.link_analysis(.).effective_url.domain.root_domain in $free_file_hosts
            or ml.link_analysis(.).effective_url.domain.root_domain in $free_subdomain_hosts
          )
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started