From 86bdf1545078b748318259b5a31d604182e18d64 Mon Sep 17 00:00:00 2001 From: Josh Rickard <10687261+MSAdministrator@users.noreply.github.com> Date: Tue, 19 May 2026 15:16:19 -0500 Subject: [PATCH 1/3] Create link_self_sender_cred_theft_sus_tlds.yml Related to escalation and is related to multiple candidate rules for this sample. --- .../link_self_sender_cred_theft_sus_tlds.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 detection-rules/link_self_sender_cred_theft_sus_tlds.yml diff --git a/detection-rules/link_self_sender_cred_theft_sus_tlds.yml b/detection-rules/link_self_sender_cred_theft_sus_tlds.yml new file mode 100644 index 00000000000..70017c1867d --- /dev/null +++ b/detection-rules/link_self_sender_cred_theft_sus_tlds.yml @@ -0,0 +1,29 @@ +name: "Link: Self-sender credential theft with suspicious TLD" +description: "Detects messages where the sender and recipient are the same, DMARC authentication passes, but the message contains links to suspicious top-level domains and shows machine learning indicators of credential theft intent." +type: "rule" +severity: "high" +source: | + type.inbound + // self sender + and sender.email.email == recipients.to[0].email.email + // auth passes + and coalesce(headers.auth_summary.dmarc.pass, false) + // link is suspicious tlds + and any(body.links, + .href_url.domain.tld in~ $suspicious_tlds + ) + // ML signals credential phishing + and any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "cred_theft" and .confidence != "low" + ) +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Social engineering" + - "Spoofing" +detection_methods: + - "Header analysis" + - "Sender analysis" + - "URL analysis" + - "Natural Language Understanding" + - "Threat intelligence" From 6ca78790742db1cb2ed881d7ae039e8d402c135a Mon Sep 17 00:00:00 2001 From: CI Bot Date: Tue, 19 May 2026 20:20:43 +0000 Subject: [PATCH 2/3] Auto-format MQL and add rule IDs --- detection-rules/link_self_sender_cred_theft_sus_tlds.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/detection-rules/link_self_sender_cred_theft_sus_tlds.yml b/detection-rules/link_self_sender_cred_theft_sus_tlds.yml index 70017c1867d..cb242c32b1f 100644 --- a/detection-rules/link_self_sender_cred_theft_sus_tlds.yml +++ b/detection-rules/link_self_sender_cred_theft_sus_tlds.yml @@ -9,9 +9,7 @@ source: | // auth passes and coalesce(headers.auth_summary.dmarc.pass, false) // link is suspicious tlds - and any(body.links, - .href_url.domain.tld in~ $suspicious_tlds - ) + and any(body.links, .href_url.domain.tld in~ $suspicious_tlds) // ML signals credential phishing and any(ml.nlu_classifier(body.current_thread.text).intents, .name == "cred_theft" and .confidence != "low" @@ -27,3 +25,4 @@ detection_methods: - "URL analysis" - "Natural Language Understanding" - "Threat intelligence" +id: "2221809b-f2d3-5323-973c-9fe46a969660" From 5b6044a9963fa964c8f6d122e706cf91c791f849 Mon Sep 17 00:00:00 2001 From: Josh Rickard <10687261+MSAdministrator@users.noreply.github.com> Date: Fri, 22 May 2026 09:02:05 -0500 Subject: [PATCH 3/3] Update link_self_sender_cred_theft_sus_tlds.yml Excluding legit emails with json file attachments. [hunt](https://platform.sublime.security/messages/hunt?huntId=019e4ffd-a3a9-70f1-8836-a6fa07902909) --- detection-rules/link_self_sender_cred_theft_sus_tlds.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/detection-rules/link_self_sender_cred_theft_sus_tlds.yml b/detection-rules/link_self_sender_cred_theft_sus_tlds.yml index cb242c32b1f..faac03583fe 100644 --- a/detection-rules/link_self_sender_cred_theft_sus_tlds.yml +++ b/detection-rules/link_self_sender_cred_theft_sus_tlds.yml @@ -9,11 +9,17 @@ source: | // auth passes and coalesce(headers.auth_summary.dmarc.pass, false) // link is suspicious tlds - and any(body.links, .href_url.domain.tld in~ $suspicious_tlds) + and any(body.links, + .href_url.domain.tld in~ $suspicious_tlds + // and sender.email.domain.tld == .href_url.domain.tld + ) // ML signals credential phishing and any(ml.nlu_classifier(body.current_thread.text).intents, .name == "cred_theft" and .confidence != "low" ) + // exclude json attachments from legit services + // all will provide samples without attachments as well + and all(attachments, .file_extension != "json") attack_types: - "Credential Phishing" tactics_and_techniques: