heroui logo

Link: Self-sender with IP geolocation check and suspicious link behavior

Sublime Rules

View Source
Summary
This rule targets inbound emails where the sender and recipient appear to be the same address and the message contains a small number of links (1-9). It flags traffic where at least one link navigates to an external domain (root_domain differs from the sender’s domain) and a URL analysis check reveals access to the IP geolocation service ipinfo.io/json. The rule additionally excludes messages that route to Salesforce (return_path domain root_domain != "salesforce.com"), reducing false positives from legitimate Salesforce-originated mail. The intention is to identify credential-phishing attempts that use self-sent or spoofed sender identities to exploit social engineering and evasion via geolocation checks. It relies on sender-address analysis and URL/link analysis to detect suspicious link behaviors and potential credential harvesting indicators, rather than relying solely on content keywords or attachments. Operationally, this rule is a precautionary signal for potential credential-theft campaigns and should be correlated with user reports and additional domain/URL reputation data for confirmation.
Categories
  • Endpoint
  • Web
Data Sources
  • Network Traffic
  • Script
Created: 2026-07-15