High Severity
Issuu Document With Suspicious Embedded Link
Description
Detects when an Issuu document contains suspicious links or text, where the document is set to open in full screen mode. The rule analyzes both embedded links and document content for malicious indicators, particularly focusing on suspicious top-level domains and language patterns.
References
No references.
Sublime Security
Created May 5th, 2025 • Last updated May 5th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and any(body.links,
.href_url.domain.root_domain == "issuu.com"
and .href_url.query_params == "fr=xKAE9_zU1NQ" // opens the document full screen
// suspicious link in the Issuu document
and (
any(filter(ml.link_analysis(., mode="aggressive").additional_responses,
strings.icontains(.url.path, "/links/")
),
// less than 3 links in the Issuu document
length(.json["1"]) < 3
and any(.json["1"],
strings.parse_url(.["url"]).domain.tld in $suspicious_tlds
or strings.parse_url(.["url"]).domain.domain in $free_subdomain_hosts
or strings.parse_url(.["url"]).domain.root_domain in $free_subdomain_hosts
or ml.link_analysis(strings.parse_url(.["url"])).credphish.disposition == "phishing"
)
)
// or, credential phishing language on the page
or any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.,
mode="aggressive"
).screenshot
).text
).intents,
.name == "cred_theft" and .confidence != "low"
)
)
)
and not profile.by_sender_email().any_messages_benign
Playground
Test against your own EMLs or sample data.