Phishing Scenario Rule Conditions
This topic describes the conditions that you can use to create rules and the default rules provided for the following phishing scenarios:
- Phishing domains
- Phishing websites
- Phishing Watch
- Best Practices for Phishing Domain Detection
- Reduce the number of phishing alerts
- Set a tailored severity calculation to Phishing alerts
- Using Regex expressions
For example, you can create a rule that will trigger alerts for only certain use cases, i.e. less alerts will be triggered than with the Threat Command Phishing Domain default-enabled rule. For more details, see Phishing domain Alert Profiler example.
Phishing domains
Phishing domains - Conditions
The following table describes the conditions that you can use to create rules.
When using a regular expression, don't enclose the expression in quotation marks.
| Feature | Operator | Values | Description |
|---|---|---|---|
| Detection algorithm | identified/did not identify | a Phishing Domain | Did the Threat Command internal Phishing Domain detection algorithm identify a phishing domain? |
| A record | contains/does not contain | "Regex" | Does the domain's "A" record contain a pattern (can be expressed as a regular expression)? |
| Asset name | in/not in | Select assets | Does the brand name, company name, or domain name contain selected assets? |
| Asset permutation | in/not in | "Homoglyph" | Does the domain name contain a look-alike character permutation of a company asset? |
| Asset tags | in/not in | Select tags | Are any of the threat's matched assets tagged with any of the specified tags? |
| Characters in domain name | =, !=, >=, <=, >, < | Type a number of characters | Does the domain name (without TLD) contain a specific amount of characters? |
| Asset permutation | in/not in | "Translation" | Does the domain name contain non-ASCII characters? |
| Domain | contains/does not contain | "A record" | Does the domain have a DNS A record? |
| Domain | contains/does not contain | "Meaningless website" | Is the website behind the domain meaningless: Is the domain…- under construction?- offering a domain for sale?- returning a server error?- Blank? Does the website…- contain an iframe to the registrar domain?- link to a domain hosting provider?- return an error?- Is the website related to a parked domains provider? |
| Domain | contains/does not contain | "MX record" | Does the domain have a DNS MX record? |
| Domain | contains/does not contain | "NS record" | Does the domain have a DNS NS record? |
| Domain | is/is not | "Existing" | Does the domain exist? |
| Domain | is/is not | "Expired" | Is the domain expired? If there is no expiry date, it is assumed that the domain is not expired. |
| Domain days since domain registration | =, !=, >=, <=, >, < | Type a number of days since registration | How many days ago was this domain registered? Use an integer number greater than 0. If there is no WHOIS information available, the domain is assumed to have been registered one day before the domain was found. |
| Domain name | contains/does not contain | "Company asset" | Does the domain name contain a company asset? |
| Domain name | contains/does not contain | "Regex" | Does the domain name contain a pattern (can be expressed as a regular expression)? You can use theExclude Domainfeature to exclude a single domain. |
| Domain Registrant | in/not in | Type a list of registrants, with regex | Is the domain registrant listed in a specific list? For each list item, you can use a regular expression. List items should be separated with a semicolon. |
| Domain Registrant | is/is not | "Trusted" | Is the domain registrant trusted (based on an internal list of registrants who are considered trusted)? |
| Domain Registrar | in/not in | Type a list of registrars, with regex | Is the domain registrar listed in a specific list? For each list item, you can use a regular expression. List items should be separated with a semicolon. |
| Domain TLD | is/is not | "Same as asset TLD" | Does the domain have the same TLD as a company domain? |
| Domain type | is/is not | "Domain"/"Subdomain" | Is the domain a domain or is it a subdomain? |
| Domain type | is/is not | "Domain"/"Sub-domain" | Is the domain a domain or a subdomain? |
| Domain WHOIS record | contains/does not contain | "Regex" | Does the domain's WHOIS record contain a pattern (can be expressed as a regular expression)? |
| MX record | contains/does not contain | "Regex" | Does the domain's "MX" record contain a pattern (can be expressed as a regualr expression)? |
| NS record | contains/does not contain | "Regex" | Does the domain's "NS" record contain a pattern (can be expressed as a regualr expression)? |
| Subdomain name | Is/is not | "Company domain" | Is the subdomain name exactly the same as the company domain with its top-level domain? |
| Subdomain name | Is/is not | "Company name or Brand name" | Is the subdomain name exactly the same as the company name or brand name? |
| Website | contains/does not contain | "Login form" | Does the website contain a login form with an input field for password? |
| Website | is/is not | "Redirecting elsewhere" | Does the website redirect to another website? |
| Website content | contains/does not contain | "Company domain" | Does the website contain your company domain? |
| Website content | contains/does not contain | "Company emails related to my domain" | Does the website contain email addresses that are related to your company domain? |
| Website content | contains/does not contain | Company logo | Does the website contain a company logo? |
| Website content | contains/does not contain | "Company name or Brand names" | Does the website contain your company or brand names? |
| Website content | contains/does not contain | “Regex list” | Does the website contain a pattern (can be expressed as a regular expression)? |
Phishing domains - rules
The following table lists the rules that are provided to get you started quickly.
| Rule name | Description of match | Default state |
|---|---|---|
| Phishing Domain - Default Detection Rule | Domain detected as a phishing domain by the internal Threat Command detection algorithm | Enabled |
| Suspected Phishing domain recently registered - Default Detection Rule | Domain detected as a phishing domain by the internal Threat Command detection algorithm AND Domain was registered less than 7 days ago | Disabled |
| Suspected Phishing domain with login form - Default Detection Rule | Domain detected as a phishing domain by the internal Threat Command detection algorithm AND Website contains a login form | Disabled |
| Suspected Phishing domain with MX record - Default Detection Rule | Domain detected as a phishing domain by the internal Threat Command detection algorithm AND Domain contains an MX record | Enabled |
Phishing domain Alert Profiler example
An example of how to use the Alert Profiler for phishing domains could be to trigger alerts only for certain use cases. Also see the Best Practices for Phishing Domain Detection.
The following illustration shows how you can add conditions to the Threat Command Phishing Domain default rule to make alert triggering more selective. Alerts will be elevated only if they have a login page AND if the website content contains a specific regex list (“intsights” or “int-sights”):
Phishing websites
Phishing Websites - conditions
The following table describes the conditions that you can use to create rules.
When using a regular expression, don't enclose the expression in quotation marks.
| Features | Operator | Values | Description |
|---|---|---|---|
| Detection algorithm | identified/ did not identify | "A phishing website" | Did the Threat Command internal detection algorithm identify a phishing website? |
| Asset name | in/not in | Select assets | Does the brand name, company name, or domain name contain specific assets? |
| Asset tags | in/not in | Select tags | Are any of the threat's matched assets tagged with any of the specified tags? |
| Domain days since registration | =, !=, >=, <=, >, < | User will type # of days since registration | How many days ago was this domain registered? Use any integer number between 0 and 1000 days. |
| Website | contains/does not contain | "Login form" | Does the website contain a login form with an input field for password? |
| Website | is/is not | "Active" | Is the website active? |
| Website content | contains/does not contain | "Brand name or Company name" | Does the website content contain a "Brand name" or "Company name" asset? |
| Website content | contains/does not contain | Company logo | Does the website content contain a company logo? |
| Website content | contains/does not contain | "Regex list" | Does the website content contain a specific pattern (can be expressed as a regular expression)? |
| Website title | contains/does not contain | "Brand name or Company name" | Does the website title contain a "Brand name" or "Company name" asset? |
| Website URL | contains/does not contain | "Brand name or Company name" | Does the website URL contain a "Brand name" or "Company name" asset? |
| Webite URL | contains/does not contain | "Regex list" | Does the website URL contain a specific pattern (can be expressed as a regular expression)? |
| Website URL | is/is not | "Listed on Google Web Risk" | Is the website URL included on a Google Web Risk list? |
Phishing Websites - rules
The following table lists the rules that are provided to get you started quickly.
| Rule name | Description of match | Default state |
|---|---|---|
| Phishing Websites - Default Detection Rule | A phishing website was detected by the internal Threat Command detection algorithm | Enabled |
Phishing websites Alert Profiler examples
These examples show how to use the Alert Profiler for phishing website threats.
Problem : The customer has a brand that is frequently targeted by phishing and other brands that are less targeted.
Solution : Add a condition (to the Detection algorithm) that alerts only on websites containing the targeted asset.
Customize alert triggering with the Alert profiler :
- Edit the default rule, and change the "any " to "all."
- Add the Asset name condition.
- Add the parameters to select the targeted asset.
Problem : The customer is primarily targeted by phishing websites with a similar pattern (such as usage of certain hosting providers).
Solution : Add a condition (to the Detection algorithm) that alerts only on URLs (for example) that contain a certain pattern (defined by a Regex).
Steps :
- Edit the default rule, and change the "any " to "all."
- Add the Website URL condition.
- Add the parameters to define a Regex that will catch the troublesome hosts.
Phishing Watch
Phishing Watch - conditions
The following table describes the conditions that you can use to create rules.
When using a regular expression, don't enclose the expression in quotation marks.
| Feature | Operator | Value | Description |
|---|---|---|---|
| Phishing Watch - Default Detection Rule | Identified or did not identify | “A suspicious clone” | Did the Threat Command internal Phishing Watch detection algorithm identify a suspicious cloned website? |
| Phishing Watch - Default Detection Rule | Identified or did not identify | “A suspicious iframe” | Did the Threat Command internal Phishing Watch detection algorithm identify a suspicious iframe? |
| Phishing Watch - Default Detection Rule | Identified or did not identify | “A suspicious redirect” | Did the Threat Command internal Phishing Watch detection algorithm identify a suspicious redirect? |
For example, if the presence of an iframe should NOT trigger an alert, you can remove the ‘suspicious iframe’ condition, and keep the other conditions.
In addition, you can use any of the following conditions:
| Feature | Operator | Value | Description |
|---|---|---|---|
| Domain days since registration | =, !=, >=, <=, >, < | User will type # of days since registration | How many days ago was this domain registered? Use any integer number between 0 and 1000 days. |
| Phishing Watch | Identified or did not identify | "A cloned website" | Did the Phishing Watch identify a cloned website? |
| Phishing Watch | Identified or did not identify | "A website redirection" | Did the Phishing Watch identify a redirection to a company website? |
| Phishing Watch | Identified or did not identify | "An iframe" | Did the Phishing Watch identify an iframe? |
| Report origin | Is or is not | "A local endpoint" | Is the report origin a local endpoint? |
| Report origin | Is or is not | "A public IP address" | Is the report origin a public IP address? |
| Website | Is or is not | "Active" | Is the website active? |
| Website | Contains or does not contain | "Login form" | Does the website contain a login form with an input field for passwords? |
| Website content | Contains or does not contain | "Brand name or Company name" | Does the website content contain a "Brand names" or "Company names" asset? |
| Website title | Contains or does not contain | "Brand name or Company name" | Does the website title contain a "Brand names" or "Company names" asset? |
| Website URL | Contains or does not contain | "Brand name or Company name" | Does the website URL contain a "Brand names" or "Company names" asset? |
| Website URL | Contains or does not contain | "Regex list" | Does the website URL contain a specific pattern (can be expressed as a regular expression)? |
| Website URL | Is or is not | "Listed on Google Web Risk" | Is the website URL included on a Google Web Risk list? |
Phishing Watch - rules
The following table lists the rules that are provided to get you started quickly.
| Rule name | Description of match | Default state |
|---|---|---|
| Phishing Watch - Default Detection Rule | A suspicious cloned website, redirect, or iframe was detected by the internal Threat Command detection algorithm | Enabled |
Best Practices for Phishing Domain Detection
Best-practice suggestions for using the Alert Profiler for phishing domain detection.
You can use the Alert Profiler to achieve the following:
- Reduce the number of phishing alerts and phishing false-positive alerts.
- Set a tailored severity calculation to phishing alerts.
Reduce the number of phishing alerts
The default Detection Algorithm looks for either of these matches, based on the Brand names, Company names, and Domains assets:
- The domain name is a permutation of any of these assets.
- The domain HTML content contains those exact assets.
Certain assets may create excess phishing alerts as well as many false-positive alerts. The first step in reducing the number of alerts is to review the Brand names, Company names, and Domains assets. If an asset is deemed to be “noisy,” you can exclude it from being detected.
To exclude assets from detection:
You can exclude noisy assets from triggering alerts by adding a condition to exclude that asset, on every existing or new rule.
In this example, the domain names “acme.one”, “insights3.com” and “intsights-demo.com” will be excluded:
Set a tailored severity calculation to Phishing alerts
Another way to enhance alert management is by tailoring the severity (Low, Medium, or High) assigned to triggered alerts. In addition to getting clearer classification, at the same time, you can prevent alert generation for threats that are less than your severity criteria.
The suggestions we present are just that - suggestions. You can use them as-is, modify them for your needs, or ignore them. Note that every rule includes the default Detection Algorithm, and triggers alerts only if they match that rule AND the added criteria. Low Severity The rule consists of two parts. A low-severity alert will be triggered if "all" conditions of either part (using an "any" condition) pass. Anything that does not match, minimally, will not generate an alert.
Part A
The default Detection algorithm [matches domains whose only connection is their name (a permutation of the asset) or their content (an exact match)] AND the domain is either expired (which indicates an opportunity to purchase the domain).Part B
The default Detection algorithm [matches domains whose only connection is their name (a permutation of the asset) or their content (an exact match)] AND the domain is in a very basic stage of a possible phishing campaign.
Medium Severity A medium-severity alert will be triggered if a domain matches the default Detection algorithm [matches domains whose only connection is their name (a permutation of the asset) or their content (an exact match)] AND the domain is unexpired AND the domain is in a more mature stage of a possible phishing campaign.
High Severity
A high-severity alert will be triggered if a domain matches the default Detection algorithm [matches domains whose only connection is their name (a permutation of the asset) or their content (an exact match)] AND the domain is expired AND it contains a login form. This indicates a live website that is possibly trying to phish company clients and employees.
Other common conditions
The previous suggestions can be enhanced and modified by adding other conditions. Here are some examples to consider:
- Identify domain parking:
- Identify domain names with sector-related words (e.g. Banking):
- Identify domain names with common misleading permutations (polymorphic phishing). For example, "lntsights" (with a lower “L” instead of the 1st “I”) or "Intslghts" (with a lower “L” instead of the 2nd “I”):
Using Regex expressions
Many of the conditions enable the use of regex (Regular Expression) terms. This is a very popular and powerful way to define more exact searches.
For example, a company named "ION" would falsely match these names "international," "nation," and "ionic"
Using the following regex search, you can ensure that only matches for "ion" are matched:
- ^ finds only expressions that start exactly this way.
- $ finds only expressions that end exactly this way.
The previous example, as represented on https://regex101.com/:
We recommend using any of the regex reference sites on the Web to learn more about regex.