Skip to content

Create link_self_sender_doc_lure_external_domain.yml #4510

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MSAdministrator wants to merge 2 commits into
base: main
Choose a base branch
from
+47 −0
Open

Create link_self_sender_doc_lure_external_domain.yml #4510

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8039d54
Create link_self_sender_doc_lure_external_domain.yml
MSAdministrator May 19, 2026
3bf164c
Auto-format MQL and add rule IDs
May 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions detection-rules/link_self_sender_doc_lure_external_domain.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: "Link: Self-sender with document lure and external domain"
description: |
Detects self-addressed messages from authenticated business email accounts containing document-sharing language and links to external domains.
These messages often indicate compromised account testing where attackers validate phishing infrastructure before targeting external recipients.
The combination of DMARC authentication, document lure patterns, external links, and ML-detected credential theft intent suggests an attacker is using a legitimate compromised account to test their phishing campaign.
type: "rule"
severity: "high"
source: |
type.inbound
// self sender
and sender.email.email == recipients.to[0].email.email
// auth passes
and coalesce(headers.auth_summary.dmarc.pass, false)
// not free email
and sender.email.domain.root_domain not in $free_email_providers
// Document/file language
and regex.icontains(body.current_thread.text,
'\b(document[s]|file|invoice|report|statement|payment)\b'
)
and any(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
and .href_url.domain.root_domain not in $free_file_hosts
)
and not any(headers.reply_to,
.email.domain.domain in $org_domains
or .email.domain.root_domain in $high_trust_sender_root_domains
or .email.domain.root_domain in ("docusign.net", "docusign.com")
)
// ML signals credential phishing
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
// Not password reset, compromised account emails
and not (
strings.icontains(body.current_thread.text, "compromised")
or strings.icontains(body.current_thread.text, "password")
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Social engineering"
detection_methods:
- "Content analysis"
- "Natural Language Understanding"
- "Sender analysis"
- "URL analysis"
id: "dce9e334-7766-5bd8-b464-b3a7b6d22d0c"