Create link_susp_gophp.yml

Author: keaton-sublime

detection-rules/link_susp_gophp.yml

@@ -0,0 +1,21 @@
+name: "Link: Suspicious go.php redirect with document lure"
+description: "Detects links ending in 'go.php' with authentication parameters that masquerade as document access links using 'Open Document' display text."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(body.current_thread.links,
+          strings.ends_with(.href_url.path, "go.php")
+          and strings.starts_with(.href_url.query_params, "auth=")
+          and strings.count(.href_url.path, "/") == 2
+          and .display_text == "Open Document"
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "URL analysis"