[PR #3746] added rule: Service Abuse: GoDaddy infrastructure

Author: github-actions[bot]

detection-rules/3746_service_abuse_godaddy_infra.yml

@@ -0,0 +1,25 @@
+name: "Service Abuse: GoDaddy infrastructure"
+description: "Detects messages from legitimate GoDaddy domains with suspicious indicators. Observed abused for call back phishing and extortion campaigns."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(attachments) == 0
+  // legitimate GoDaddy sending infrastructure
+  and (
+    sender.email.domain.root_domain == "godaddy.com"
+    and headers.auth_summary.dmarc.pass
+  )
+  and any(body.links, .display_text in~ ("Pay Now", "Accept Access"))
+attack_types:
+  - "Callback Phishing"
+  - "Extortion"
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "Natural Language Understanding"
+  - "Content analysis"
+id: "e645c524-c0b8-538a-8198-4a82bf78a1e2"
+og_id: "8a2dd357-3ecf-5d23-bcd8-d215a5f677dd"
+testing_pr: 3746
+testing_sha: fdae05abc38e8c72152718110bf41cbee4c51ebb