From 09cd2087ad025bd41a4abc088c6cb97d48662971 Mon Sep 17 00:00:00 2001 From: Daniel Bolton Date: Thu, 22 Jan 2026 11:00:44 -0600 Subject: [PATCH 1/4] new rule: Link: URL shortener with copy-paste instructions --- ...ntial_phishing_copy_paste_instructions.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 detection-rules/link_credential_phishing_copy_paste_instructions.yml diff --git a/detection-rules/link_credential_phishing_copy_paste_instructions.yml b/detection-rules/link_credential_phishing_copy_paste_instructions.yml new file mode 100644 index 00000000000..8780eae70e2 --- /dev/null +++ b/detection-rules/link_credential_phishing_copy_paste_instructions.yml @@ -0,0 +1,30 @@ +name: "Link: URL shortener with copy-paste instructions and credential theft language" +description: "Detects messages containing only URL shorteners with copy-paste instructions and high-confidence credential theft language, typically used to evade URL analysis by requiring manual URL entry." +type: "rule" +severity: "low" +source: | + type.inbound + and length(body.current_thread.links) > 0 + and all(body.current_thread.links, + .href_url.domain.root_domain in $url_shorteners + ) + and ( + strings.icontains(body.current_thread.text, 'copy') + and ( + strings.icontains(body.current_thread.text, 'pasting') + or strings.icontains(body.current_thread.text, 'paste') + ) + ) + and any(ml.nlu_classifier(body.current_thread.text).intents, + .name == 'cred_theft' and .confidence == 'high' + ) + +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Natural Language Understanding" + - "URL analysis" From 36c281258827da8100ba6f1b51171f8b9271ccf9 Mon Sep 17 00:00:00 2001 From: CI Bot Date: Thu, 22 Jan 2026 17:03:59 +0000 Subject: [PATCH 2/4] Auto-format MQL and add rule IDs --- .../link_credential_phishing_copy_paste_instructions.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/link_credential_phishing_copy_paste_instructions.yml b/detection-rules/link_credential_phishing_copy_paste_instructions.yml index 8780eae70e2..3dd5cdab67f 100644 --- a/detection-rules/link_credential_phishing_copy_paste_instructions.yml +++ b/detection-rules/link_credential_phishing_copy_paste_instructions.yml @@ -28,3 +28,4 @@ detection_methods: - "Content analysis" - "Natural Language Understanding" - "URL analysis" +id: "a0a2c573-3686-590e-8715-fc4a32202c92" From 76cf714bbcf087794f613ffecf31db0f1c5251ad Mon Sep 17 00:00:00 2001 From: Daniel Bolton Date: Fri, 23 Jan 2026 10:38:39 -0600 Subject: [PATCH 3/4] negate display urls that match the sender root domain --- .../link_credential_phishing_copy_paste_instructions.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/detection-rules/link_credential_phishing_copy_paste_instructions.yml b/detection-rules/link_credential_phishing_copy_paste_instructions.yml index 3dd5cdab67f..a45fe3cebff 100644 --- a/detection-rules/link_credential_phishing_copy_paste_instructions.yml +++ b/detection-rules/link_credential_phishing_copy_paste_instructions.yml @@ -18,6 +18,8 @@ source: | and any(ml.nlu_classifier(body.current_thread.text).intents, .name == 'cred_theft' and .confidence == 'high' ) + // negate display urls that match the sender root domain + and not any(body.current_thread.links, .display_url.domain.root_domain == sender.email.domain.root_domain) attack_types: - "Credential Phishing" From 6a5f9994381dcec070ceea84c9837d6abea65d07 Mon Sep 17 00:00:00 2001 From: CI Bot Date: Fri, 23 Jan 2026 16:40:44 +0000 Subject: [PATCH 4/4] Auto-format MQL and add rule IDs --- .../link_credential_phishing_copy_paste_instructions.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/detection-rules/link_credential_phishing_copy_paste_instructions.yml b/detection-rules/link_credential_phishing_copy_paste_instructions.yml index a45fe3cebff..586e2551183 100644 --- a/detection-rules/link_credential_phishing_copy_paste_instructions.yml +++ b/detection-rules/link_credential_phishing_copy_paste_instructions.yml @@ -19,8 +19,9 @@ source: | .name == 'cred_theft' and .confidence == 'high' ) // negate display urls that match the sender root domain - and not any(body.current_thread.links, .display_url.domain.root_domain == sender.email.domain.root_domain) - + and not any(body.current_thread.links, + .display_url.domain.root_domain == sender.email.domain.root_domain + ) attack_types: - "Credential Phishing" tactics_and_techniques: