
Summary
This detection rule aims to identify potentially fraudulent emails that pretend to come from legitimate companies but actually originate from free email providers. The rule focuses on emails that come with a specific format in their links and which urge recipients to call a fraudulent customer service number. The conditions for detection include checking if the sender's email belongs to a known free email service, and analyzing the email body for links that include specific characteristics such as displaying 'Unsubscribe' while lacking a proper return path or containing certain prohibited query parameters. This analysis is essential as such unsolicited emails can be a precursor to Business Email Compromise (BEC) or Callback Phishing attacks, leveraging social engineering tactics to mislead recipients into divulging sensitive information or making calls to phishing numbers.
Categories
- Endpoint
- Web
- Identity Management
Data Sources
- User Account
- Web Credential
- Network Traffic
Created: 2022-03-09