
Summary
This rule targets inbound emails where the sender and recipient appear to be the same address and the message contains a small number of links (1-9). It flags traffic where at least one link navigates to an external domain (root_domain differs from the sender’s domain) and a URL analysis check reveals access to the IP geolocation service ipinfo.io/json. The rule additionally excludes messages that route to Salesforce (return_path domain root_domain != "salesforce.com"), reducing false positives from legitimate Salesforce-originated mail. The intention is to identify credential-phishing attempts that use self-sent or spoofed sender identities to exploit social engineering and evasion via geolocation checks. It relies on sender-address analysis and URL/link analysis to detect suspicious link behaviors and potential credential harvesting indicators, rather than relying solely on content keywords or attachments. Operationally, this rule is a precautionary signal for potential credential-theft campaigns and should be correlated with user reports and additional domain/URL reputation data for confirmation.
Categories
- Endpoint
- Web
Data Sources
- Network Traffic
- Script
Created: 2026-07-15