Create lookalike_domain_with_suspicious_language.yml #2197
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/update-test-rules |
|
/update-test-rules |
github-actions bot
pushed a commit
that referenced
this pull request
Dec 6, 2024
Create lookalike_domain_with_suspicious_language.yml by @morriscode #2197 Source SHA f0b99c7 Triggered by @morriscode
|
/update-test-rules |
github-actions bot
pushed a commit
that referenced
this pull request
Dec 11, 2024
Create lookalike_domain_with_suspicious_language.yml by @morriscode #2197 Source SHA 0a72154 Triggered by @morriscode
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This rule identifies messages where links use typosquatting or lookalike domains similar to the sender domain, with at least one domain being either unregistered or recently registered (≤90 days). The messages must also contain indicators of business email compromise (BEC), credential theft, or abusive language patterns like financial terms or polite phrasing such as "kindly." This layered approach targets phishing attempts combining domain deception with manipulative content"
Associated samples
Link to samples that are affected by your change.
For example, samples you are negating, samples you are including, or samples your new insight should fire on.