type.inbound
and 0 < length(body.links) < 10
and any(body.links,
// contains login or captcha
(
ml.link_analysis(.).credphish.contains_login
or ml.link_analysis(.).credphish.contains_captcha
)
// either the original or the redirect is a free subdomain
and (
ml.link_analysis(.).effective_url.domain.root_domain in $free_subdomain_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
)
// exclude FP prone free subdomain hosts
// if it's a known brand impersonation, we'll detect it in other rules
and .href_url.domain.root_domain not in ("zendesk.com")
and ml.link_analysis(.).effective_url.domain.root_domain not in ("zendesk.com")
and ml.link_analysis(.).effective_url.domain.domain not in ("login.squarespace.com")
)
// exclude all freesubdomain links are images
and length(filter(body.links,
.href_url.domain.root_domain in $free_subdomain_hosts
and .href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www") ) > 0
and not all(filter(body.links,
.href_url.domain.root_domain in $free_subdomain_hosts
and .href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"), (strings.ends_with(.href_url.url, "jpeg") or strings.ends_with(.href_url.url, "png")))
// exclude FP prone senders
and sender.email.domain.root_domain not in ("sharepointonline.com")
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.