LWescott create link_hr_impersonation_suspect_domain_and_cred_theft (#3599)

IndiaAce · ID Generator · web-flow · commit e15e8f12d7c6 · 2025-12-03T17:48:25.000Z
Co-authored-by: ID Generator &lt;hello@sublimesecurity.com&gt;
diff --git a/detection-rules/link_hr_impersonation_with_suspect_domain_and_cred_theft.yml b/detection-rules/link_hr_impersonation_with_suspect_domain_and_cred_theft.yml
@@ -0,0 +1,72 @@
+name: "Link: HR impersonation with suspicious domain indicators and credential theft"
+description: "Detects messages impersonating HR departments containing many links with malformed domains, suspicious TLD patterns, and credential theft language detected through URL analysis."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  // high number of links
+  and length(body.links) > 20
+  // hr-related subject or sender
+  and (
+    regex.icontains(sender.display_name, "\\bhr\\b")
+    or strings.icontains(sender.display_name, "human resources")
+    or strings.icontains(sender.display_name, "employee relation")
+    or regex.icontains(subject.subject, "sal[ai1l|]r[i1l|]es")
+    or regex.icontains(subject.subject, "hr__.{0,30}")
+    or regex.icontains(subject.subject, "work.{0,5}hours")
+    or regex.icontains(subject.subject,
+                       "instant:.{0,20}(salaries|salary|changed|update)"
+    )
+    or strings.icontains(body.current_thread.text, "vacation plan")
+  )
+  // suspect domain irregularities (like www.,company.com)
+  and any(body.links,
+          (
+            // malformed domains with comma variations
+            regex.icontains(.display_text, "www.?,")
+            // multiple consecutive dots
+            or regex.icontains(.display_text, "\\.{2,}")
+            // comma in domain position  
+            or regex.icontains(.display_text, "\\.,")
+            // suspicious TLD patterns that might be typosquatting
+            or regex.icontains(.display_text, "\\.(tu|cg|mv|tk|3v|ct|jh)/")
+            // random characters in TLD position
+            or regex.icontains(.display_text,
+                               "\\.[a-z0-9]{1,3}/[a-z0-9]+/[a-z0-9]+/"
+            )
+            // URLs that contain obvious credential theft terms in the path
+            or regex.icontains(.display_text,
+                               "/(sal[ai1l|]r[i1l|]es|login|auth|verify|portal|payment)/"
+            )
+          )
+          and .visible == true
+          and any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.).screenshot).text).intents,
+                  .name == "cred_theft" and .confidence == "high"
+          )
+  )
+  // exclusions for legitimate sources 
+  and not any(ml.nlu_classifier(body.current_thread.text).topics,
+              .name in (
+                "Security and Authentication",
+                "Secure Message",
+                "Newsletters and Digests",
+                "Entertainment and Sports"
+              )
+              and .confidence in ("medium", "high")
+  )
+  // exclude messages with a bunch of previous corrospondance
+  and not length(body.previous_threads) > 5
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Employee"
+  - "Social engineering"
+  - "Lookalike domain"
+detection_methods:
+  - "Content analysis"
+  - "Natural Language Understanding"
+  - "Computer Vision"
+  - "URL analysis"
+  - "URL screenshot"
+id: "f31f8831-905e-5384-97b3-70f6f84c7fcc"
