High Severity
Credential phishing link (unknown sender)
Description
Message contains a link to a credential phishing page from an unknown sender.
References
No references.
Sublime Security
Created Aug 17th, 2023 • Last updated Apr 25th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and 0 < length(body.links) < 10
and any(body.links,
ml.link_analysis(.).credphish.disposition == "phishing"
and ml.link_analysis(.).credphish.confidence in ("medium", "high")
)
and (
(
not profile.by_sender().solicited
and profile.by_sender().prevalence != "common"
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
// negate legit replies threads
and not (
(
strings.istarts_with(subject.subject, "RE:")
// out of office auto-reply
or strings.istarts_with(subject.subject, "Automatic reply:")
)
and (
length(headers.references) > 0
or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// exclude bounce backs & read receipts
and not strings.like(sender.email.local_part,
"*postmaster*",
"*mailer-daemon*",
"*administrator*"
)
and not regex.icontains(subject.subject, "^(undeliverable|read:)")
and not any(attachments, .content_type == "message/delivery-status")
// if the "References" is in the body of the message, it's probably a bounce
and not any(headers.references, strings.contains(body.html.display_text, .))
and not profile.by_sender().any_false_positives
Playground
Test against your own EMLs or sample data.