From 8039d5454fa4449c5fe2e6b34e3becb313e8c92c Mon Sep 17 00:00:00 2001
From: Josh Rickard <10687261+MSAdministrator@users.noreply.github.com>
Date: Tue, 19 May 2026 16:09:39 -0500
Subject: [PATCH 1/2] Create link_self_sender_doc_lure_external_domain.yml

---
 ...k_self_sender_doc_lure_external_domain.yml | 46 +++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 detection-rules/link_self_sender_doc_lure_external_domain.yml

diff --git a/detection-rules/link_self_sender_doc_lure_external_domain.yml b/detection-rules/link_self_sender_doc_lure_external_domain.yml
new file mode 100644
index 00000000000..a867ec06093
--- /dev/null
+++ b/detection-rules/link_self_sender_doc_lure_external_domain.yml
@@ -0,0 +1,46 @@
+name: "Link: Self-sender with document lure and external domain"
+description: |
+  Detects self-addressed messages from authenticated business email accounts containing document-sharing language and links to external domains.
+  These messages often indicate compromised account testing where attackers validate phishing infrastructure before targeting external recipients.
+  The combination of DMARC authentication, document lure patterns, external links, and ML-detected credential theft intent suggests an attacker is using a legitimate compromised account to test their phishing campaign.
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  // self sender
+  and sender.email.email == recipients.to[0].email.email
+  // auth passes
+  and coalesce(headers.auth_summary.dmarc.pass, false)
+  // not free email
+  and sender.email.domain.root_domain not in $free_email_providers
+  // Document/file language
+  and regex.icontains(body.current_thread.text,
+                      '\b(document[s]|file|invoice|report|statement|payment)\b'
+  )
+  and any(body.links,
+          .href_url.domain.root_domain != sender.email.domain.root_domain
+          and .href_url.domain.root_domain not in $free_file_hosts
+  )
+  and not any(headers.reply_to,
+              .email.domain.domain in $org_domains
+              or .email.domain.root_domain in $high_trust_sender_root_domains
+              or .email.domain.root_domain in ("docusign.net", "docusign.com")
+  )
+  // ML signals credential phishing
+  and any(ml.nlu_classifier(body.current_thread.text).intents,
+          .name == "cred_theft" and .confidence != "low"
+  )
+  // Not password reset, compromised account emails
+  and not (
+    strings.icontains(body.current_thread.text, "compromised")
+    or strings.icontains(body.current_thread.text, "password")
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Natural Language Understanding"
+  - "Sender analysis"
+  - "URL analysis"

From 3bf164ccaea0ef744ee54d667666bd663f9581ed Mon Sep 17 00:00:00 2001
From: CI Bot <hello@sublimesecurity.com>
Date: Tue, 19 May 2026 21:12:30 +0000
Subject: [PATCH 2/2] Auto-format MQL and add rule IDs

---
 detection-rules/link_self_sender_doc_lure_external_domain.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/link_self_sender_doc_lure_external_domain.yml b/detection-rules/link_self_sender_doc_lure_external_domain.yml
index a867ec06093..2ee19b24e21 100644
--- a/detection-rules/link_self_sender_doc_lure_external_domain.yml
+++ b/detection-rules/link_self_sender_doc_lure_external_domain.yml
@@ -44,3 +44,4 @@ detection_methods:
   - "Natural Language Understanding"
   - "Sender analysis"
   - "URL analysis"
+id: "dce9e334-7766-5bd8-b464-b3a7b6d22d0c"