Create link_credential_theft_ajax_functionality_free_image_hosting_services.yml

Author: hadojae

detection-rules/link_credential_theft_ajax_functionality_free_image_hosting_services.yml

@@ -0,0 +1,40 @@
+name: "Link: Credential theft with AJAX functionality and free image hosting services"
+description: "Detects unsolicited messages containing links that lead to pages with AJAX functionality targeting password fields and utilizing images from free hosting services, indicating potential credential harvesting operations."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and 0 < length(body.links) < 10
+  and not profile.by_sender().solicited
+  and length(recipients.to) == 1
+  and recipients.to[0].email.domain.valid
+  and any(body.links,
+          (
+            // ajax
+            regex.icontains(ml.link_analysis(.).final_dom.raw,
+                            '\$\.ajax\s*\(\s*\{[^}]+url:\s*[\x22\x27][^\x22\x27]+\.php[\x22\x27]'
+            )
+            // page contains password string
+            and strings.icontains(ml.link_analysis(.).final_dom.raw,
+                                'password'
+            )
+            // images from free hosting services
+            and regex.icontains(ml.link_analysis(.).final_dom.raw,
+                                'svgur\.com|cdn\.glitch\.global|imgbox\.com|svgshare\.com|freepnglogos\.com|firebasestorage\.googleapis\.com|archive\.org|web\.archive\.org|pngimg\.com|imgur\.com|i\.hizliresim\.com|pinimg\.com|freepik\.com|postimg\.org|postimg\.cc|img\.favpng\.com|gyazo\.com|ibb\.co|image\.thum\.io|iili\.io|zupimages\.net|imagedelivery\.net|images\.seeklogo\.com|images\.unsplash\.com'
+            )
+          )
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Free file host"
+  - "Scripting"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Javascript analysis"
+  - "Sender analysis"
+  - "URL analysis"
+  - "URL screenshot"