
Summary
This rule detects credential-phishing emails that impersonate state-level business compliance communications (for example Statements of Information or Certificates of Good Standing) and pressure recipients to click credential-harvesting links hosted on free subdomain services. It targets inbound threads that are not replies or forwards, and requires a combination of textual cues, URL indicators, ML-based intent, and sender-domain authentication signals to raise an alert. Specifically, it looks for at least two of five phrases or patterns in the message body (Statement of Information; Secretary of State; a regex for filing overdue; Certificate of Good Standing; business suspension). It also requires at least one link in the thread whose root domain is in a known set of free subdomain hosts. Additionally, a high-confidence credential-theft intent must be inferred from the thread text via an NLP classifier. To reduce false positives from legitimate communications from trusted sources, detections are suppressed if the sender’s domain is considered highly trusted and the message passes DMARC authentication. The rule is built around content analysis (text cues), URL analysis (host domain checking), and NLP-based intent detection, complemented by DMARC-based sender trust checks. This combination aims to catch opportunistic impersonation phishing that uses urgent state-filings language and free-hosted URLs while avoiding flagging trusted domains with proper authentication.
Categories
- Web
- Network
Data Sources
- Application Log
- Process
Created: 2026-07-15