
Summary
This detection rule flags inbound messages that originate from SurveyMonkey user-related domains (surveymonkeyuser.com) and contain links within nested HTML tables that resolve to non-Surveymonkey domains. It specifically targets the first anchor tag in a nested table structure and requires that the link’s domain is not surveymonkey.com, the visible link text does not include the word "survey", and the link is not an exception related to Mimecast domains with certain decoded query parameters that reference trusted tenant domains or surveymonkey.com. The rule combines sender domain validation, HTML structure parsing, and URL/domain checks to identify suspicious outbound links that could be used for credential phishing or brand impersonation. It is categorized under credential phishing with social engineering and brand impersonation techniques and uses content analysis, HTML analysis, sender analysis, and URL analysis to determine matches.
Categories
- Web
- Endpoint
Data Sources
- Script
- File
- Process
Created: 2026-07-09