LWescott create gophish_abuse_pixel_tracking rule (#3351)

Co-authored-by: ID Generator <[email protected]>
Co-authored-by: Alex Herold <[email protected]>

Author: 3 people

detection-rules/gophish_abuse_pixel_tracking.yml

@@ -0,0 +1,23 @@
+name: "Credential theft: Gophish abuse with hidden tracking image"
+description: "Detects messages containing hidden tracking images with display:none style and tracking parameters in the source URL, commonly used for user tracking and engagement monitoring."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and (
+    strings.icontains(body.html.raw,
+                      '<img alt='''' style=''display: none'' src='''
+    )
+    or strings.icontains(body.html.raw, 'img alt="" style="display: none" src="')
+  )
+  and strings.icontains(body.html.raw, '/track?rid=')
+
+attack_types:
+  - "Spam"
+tactics_and_techniques:
+  - "Evasion"
+  - "Image as content"
+detection_methods:
+  - "Content analysis"
+  - "HTML analysis"
+id: "59915ceb-4d7c-56ba-a28e-ccda8d95b5e2"