type.inbound
// only one link to Ludus
and length(distinct(filter(body.links,
.href_url.domain.root_domain in ("ludus.one")
),
.href_url.url
)
) == 1
and any(body.links,
.href_url.domain.root_domain in ("ludus.one")
and (
any(ml.link_analysis(.).final_dom.links,
.href_url.domain.root_domain != "ludus.com"
// once we have additional responses, add # of slides == 1 logic
and (
.href_url.domain.tld in $suspicious_tlds
or .href_url.domain.domain in $free_subdomain_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
// observed pattern in credential theft URLs
or strings.ilike(.href_url.path,
"*o365*",
"*office365*",
"*microsoft*"
)
// observed pattern in credential theft URLs
or strings.ilike(.href_url.query_params,
"*o365*",
"*office365*",
"*microsoft*"
)
// observed pattern in credential theft URLs
or any(beta.scan_base64(.href_url.query_params),
strings.ilike(., "*o365*", "*office365*", "*microsoft*")
)
or ml.link_analysis(.href_url, mode="aggressive").credphish.disposition == "phishing"
or ml.link_analysis(.href_url, mode="aggressive").credphish.contains_captcha
or strings.icontains(ml.link_analysis(.href_url,
mode="aggressive"
).final_dom.display_text,
"I'm Human"
)
// bails out to a well-known domain, seen in evasion attempts
or (
length(ml.link_analysis(.href_url, mode="aggressive").redirect_history
) > 0
and ml.link_analysis(.href_url, mode="aggressive").effective_url.domain.root_domain in $tranco_10k
)
)
)
// credential theft language on the main Scribd page
or any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.,
mode="aggressive"
).screenshot
).text
).intents,
.name == "cred_theft" and .confidence != "low"
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.