Enhance detection rules for credential phishing (#3611)

Co-authored-by: Brandon Murphy <[email protected]>

Author: peterdj45

detection-rules/credential_phishing_generic_document_sharing.yml

@@ -12,7 +12,7 @@ source: |
   and (
     // subject contains document sharing language
     regex.icontains(subject.base,
-                    '\b(has\s+sent\s+you|sent\s+you|shared\s+with\s+you|document\s+to\s+review|document\s*(number|num|#)|file\s+to\s+review|proposal\s+document|new\s+document|document\s+.{0,20}assigned|(complete|review|shared?).{0,20}agreement.{0,20})\b'
+                    '\b(has\s+sent\s+you|sent\s+you|shared\s+with\s+you|document\s+to\s+review|document\s*(number|num|#)|file\s+to\s+review|proposal\s+document|new\s+document|document\s+.{0,20}assigned|(complete|review|shared?).{0,20}agreement.{0,20}|document\s+(?:transfer|shared))\b'
     )
     or strings.icontains(subject.subject, 'document to review')
     or strings.icontains(subject.subject, 'file to review')
@@ -109,6 +109,9 @@ source: |
             length(ml.link_analysis(., mode="aggressive").redirect_history) > 0
             and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
           )
+          // or common email marketing/tracking patterns
+          or regex.match(.href_url.url, 'url\d+\..*\.com/ls/click')
+          or regex.match(.href_url.path, '/ls/click|/click|/c/')
   )
   // negate highly trusted sender domains unless they fail DMARC authentication
   and (