Update link_mamba_2fa_phishing_kit.yml (#3877)

hadojae · web-flow · commit 1398cf97c96b · 2026-01-28T20:15:55.000Z
diff --git a/detection-rules/link_mamba_2fa_phishing_kit.yml b/detection-rules/link_mamba_2fa_phishing_kit.yml
@@ -26,18 +26,17 @@ source: |
   and any(body.links,
           any(ml.link_analysis(., mode="aggressive").redirect_history,
               (
-                // sv=o365 to base64
-                strings.contains(.url, 'c3Y9bzM2NV')
+                // sv= in base64 as well as commonly observed tag
+                regex.contains(.url, '(?:(?:/?|=)c3Y9|N0123N)')
                 // &uid=USER base64 offsets
                 and (
                   strings.contains(.url, 'JnVpZD1VU0VS')
                   or strings.contains(.url, 'Z1aWQ9VVNFU')
                   or strings.contains(.url, 'mdWlkPVVTRV')
-                )
+                )              
               )
           )
   )
-
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques:

Original file line number	Diff line number	Diff line change
`@@ -26,18 +26,17 @@ source: \|`
`26`	`26`	`and any(body.links,`
`27`	`27`	`any(ml.link_analysis(., mode="aggressive").redirect_history,`
`28`	`28`	`(`
`29`		`- // sv=o365 to base64`
`30`		`- strings.contains(.url, 'c3Y9bzM2NV')`
	`29`	`+ // sv= in base64 as well as commonly observed tag`
	`30`	`+ regex.contains(.url, '(?:(?:/?\|=)c3Y9\|N0123N)')`
`31`	`31`	`// &uid=USER base64 offsets`
`32`	`32`	`and (`
`33`	`33`	`strings.contains(.url, 'JnVpZD1VU0VS')`
`34`	`34`	`or strings.contains(.url, 'Z1aWQ9VVNFU')`
`35`	`35`	`or strings.contains(.url, 'mdWlkPVVTRV')`
`36`		`- )`
	`36`	`+ )`
`37`	`37`	`)`
`38`	`38`	`)`
`39`	`39`	`)`
`40`		`-`
`41`	`40`	`attack_types:`
`42`	`41`	`- "Credential Phishing"`
`43`	`42`	`tactics_and_techniques:`