diff --git a/detection-rules/link_url_with_recipient_targeting_and_special_characters.yml b/detection-rules/link_url_with_recipient_targeting_and_special_characters.yml index 5e11b635e1f..da4f8a200a6 100644 --- a/detection-rules/link_url_with_recipient_targeting_and_special_characters.yml +++ b/detection-rules/link_url_with_recipient_targeting_and_special_characters.yml @@ -7,33 +7,25 @@ source: | and length(recipients.to) == 1 and recipients.to[0].email.domain.valid and any(body.current_thread.links, - // special char in the path - ( - strings.icontains(.href_url.path, '!') - or strings.icontains(.href_url.path, '@') - ) // a single path - and strings.count(.href_url.path, '/') == 2 + strings.count(.href_url.path, '/') == 2 + // special chars and ( strings.icontains(.href_url.path, '/$') or strings.icontains(.href_url.path, '/*') + or strings.icontains(.href_url.url, '/#') ) + // recipient email in url or path and ( - ( - strings.icontains(.href_url.path, recipients.to[0].email.email) - or strings.icontains(.href_url.fragment, - recipients.to[0].email.email - ) - or any(strings.scan_base64(.href_url.path, ignore_padding=true), - strings.icontains(., recipients.to[0].email.email) - ) - or any(strings.scan_base64(.href_url.fragment, ignore_padding=true), - strings.icontains(., recipients.to[0].email.email) - ) + strings.icontains(.href_url.path, recipients.to[0].email.email) + or any(strings.scan_base64(.href_url.url, + ignore_padding=true, + format="url" + ), + strings.icontains(., recipients.to[0].email.email) ) ) ) - attack_types: - "Credential Phishing" tactics_and_techniques: