From 2001a131ae5dd7490c9ac4e668fd5aab72b5c65a Mon Sep 17 00:00:00 2001 From: Daniel Bolton Date: Mon, 18 May 2026 15:19:05 -0500 Subject: [PATCH 1/2] Create link_self_sender_cred_theft_config_placeholder.yml --- ...f_sender_cred_theft_config_placeholder.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 detection-rules/link_self_sender_cred_theft_config_placeholder.yml diff --git a/detection-rules/link_self_sender_cred_theft_config_placeholder.yml b/detection-rules/link_self_sender_cred_theft_config_placeholder.yml new file mode 100644 index 00000000000..85b43b90002 --- /dev/null +++ b/detection-rules/link_self_sender_cred_theft_config_placeholder.yml @@ -0,0 +1,26 @@ +name: "Link: Self-sender credential theft with configuration placeholder" +description: "Detects messages where the sender and recipient are the same address, containing credential theft language and links with configuration placeholder text indicating a phishing lure." +type: "rule" +severity: "high" +source: | + type.inbound + // self sender + and length(recipients.to) == 1 + and sender.email.email == recipients.to[0].email.email + and any(ml.nlu_classifier(body.current_thread.text).intents, .name == 'cred_theft' and .confidence != 'low') + and any(body.current_thread.links, + strings.contains(ml.link_analysis(., mode="aggressive").final_dom.raw, + '/*──── CONFIG: Replace with your lure URL ────*/' + ) + ) + +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Social engineering" + - "Evasion" +detection_methods: + - "Natural Language Understanding" + - "Content analysis" + - "URL analysis" + - "Header analysis" From 95ff5b10f80fddae87998585c4c2b227e72daf56 Mon Sep 17 00:00:00 2001 From: CI Bot Date: Mon, 18 May 2026 20:21:57 +0000 Subject: [PATCH 2/2] Auto-format MQL and add rule IDs --- .../link_self_sender_cred_theft_config_placeholder.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/detection-rules/link_self_sender_cred_theft_config_placeholder.yml b/detection-rules/link_self_sender_cred_theft_config_placeholder.yml index 85b43b90002..87a71cf92ad 100644 --- a/detection-rules/link_self_sender_cred_theft_config_placeholder.yml +++ b/detection-rules/link_self_sender_cred_theft_config_placeholder.yml @@ -7,13 +7,14 @@ source: | // self sender and length(recipients.to) == 1 and sender.email.email == recipients.to[0].email.email - and any(ml.nlu_classifier(body.current_thread.text).intents, .name == 'cred_theft' and .confidence != 'low') + and any(ml.nlu_classifier(body.current_thread.text).intents, + .name == 'cred_theft' and .confidence != 'low' + ) and any(body.current_thread.links, strings.contains(ml.link_analysis(., mode="aggressive").final_dom.raw, '/*──── CONFIG: Replace with your lure URL ────*/' ) ) - attack_types: - "Credential Phishing" tactics_and_techniques: @@ -24,3 +25,4 @@ detection_methods: - "Content analysis" - "URL analysis" - "Header analysis" +id: "dbf2ce70-9637-5c05-a98c-5af01c687d17"