From b56572f99efaea1ef80cdc526be544937f5705c5 Mon Sep 17 00:00:00 2001 From: keaton-sublime Date: Mon, 6 Jul 2026 12:42:31 -0400 Subject: [PATCH 1/4] Create service_abuse_surveymonkey_suspicious_outbound.yml --- ...abuse_surveymonkey_suspicious_outbound.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 detection-rules/service_abuse_surveymonkey_suspicious_outbound.yml diff --git a/detection-rules/service_abuse_surveymonkey_suspicious_outbound.yml b/detection-rules/service_abuse_surveymonkey_suspicious_outbound.yml new file mode 100644 index 00000000000..8a74c39a95f --- /dev/null +++ b/detection-rules/service_abuse_surveymonkey_suspicious_outbound.yml @@ -0,0 +1,23 @@ +name: "Service abuse: SurveyMonkey with suspicious outbound links" +description: "Detects messages sent from SurveyMonkey's user domain that contain links to non-SurveyMonkey domains within nested table elements, excluding survey-related content." +type: "rule" +severity: "medium" +source: | + type.inbound + and sender.email.domain.root_domain == "surveymonkeyuser.com" + and any(html.xpath(body.html, '//table//table//a').nodes, + .links[0].href_url.domain.root_domain != "surveymonkey.com" + and not strings.icontains(.inner_text, "survey") + and not .links[0].href_url.domain.root_domain == "mimecastprotect.com" + ) + +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Social engineering" + - "Impersonation: Brand" +detection_methods: + - "Content analysis" + - "HTML analysis" + - "Sender analysis" + - "URL analysis" From f84114f7e9076a60801ee925bb9739703fef23d7 Mon Sep 17 00:00:00 2001 From: CI Bot Date: Mon, 6 Jul 2026 16:47:21 +0000 Subject: [PATCH 2/4] Auto-format MQL and add rule IDs --- .../service_abuse_surveymonkey_suspicious_outbound.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/detection-rules/service_abuse_surveymonkey_suspicious_outbound.yml b/detection-rules/service_abuse_surveymonkey_suspicious_outbound.yml index 8a74c39a95f..e74108b1858 100644 --- a/detection-rules/service_abuse_surveymonkey_suspicious_outbound.yml +++ b/detection-rules/service_abuse_surveymonkey_suspicious_outbound.yml @@ -6,11 +6,10 @@ source: | type.inbound and sender.email.domain.root_domain == "surveymonkeyuser.com" and any(html.xpath(body.html, '//table//table//a').nodes, - .links[0].href_url.domain.root_domain != "surveymonkey.com" - and not strings.icontains(.inner_text, "survey") - and not .links[0].href_url.domain.root_domain == "mimecastprotect.com" + .links[0].href_url.domain.root_domain != "surveymonkey.com" + and not strings.icontains(.inner_text, "survey") + and not .links[0].href_url.domain.root_domain == "mimecastprotect.com" ) - attack_types: - "Credential Phishing" tactics_and_techniques: @@ -21,3 +20,4 @@ detection_methods: - "HTML analysis" - "Sender analysis" - "URL analysis" +id: "f183bd14-d8f0-5a69-9cce-9a9eee855bf7" From 724b0eed7cf6e22cd837f9f2931c9371a87d5a12 Mon Sep 17 00:00:00 2001 From: keaton-sublime Date: Wed, 8 Jul 2026 13:11:25 -0400 Subject: [PATCH 3/4] Update service_abuse_surveymonkey_suspicious_outbound.yml --- ...vice_abuse_surveymonkey_suspicious_outbound.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/detection-rules/service_abuse_surveymonkey_suspicious_outbound.yml b/detection-rules/service_abuse_surveymonkey_suspicious_outbound.yml index e74108b1858..f43f15c87ce 100644 --- a/detection-rules/service_abuse_surveymonkey_suspicious_outbound.yml +++ b/detection-rules/service_abuse_surveymonkey_suspicious_outbound.yml @@ -8,8 +8,20 @@ source: | and any(html.xpath(body.html, '//table//table//a').nodes, .links[0].href_url.domain.root_domain != "surveymonkey.com" and not strings.icontains(.inner_text, "survey") - and not .links[0].href_url.domain.root_domain == "mimecastprotect.com" + and not ( + .links[0].href_url.domain.root_domain in ( + "mimecast.com", + "mimecastprotect.com" + ) + and any(.links[0].href_url.query_params_decoded['domain'], + strings.parse_domain(.).domain in $tenant_domains + or strings.parse_domain(.).domain in ( + "surveymonkey.com", + ) + ) + ) ) + attack_types: - "Credential Phishing" tactics_and_techniques: From a5e026a3ce9eb3bb98f5a2117b1685bc37895f7e Mon Sep 17 00:00:00 2001 From: CI Bot Date: Wed, 8 Jul 2026 17:12:52 +0000 Subject: [PATCH 4/4] Auto-format MQL and add rule IDs --- .../service_abuse_surveymonkey_suspicious_outbound.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/detection-rules/service_abuse_surveymonkey_suspicious_outbound.yml b/detection-rules/service_abuse_surveymonkey_suspicious_outbound.yml index f43f15c87ce..eed48a037a7 100644 --- a/detection-rules/service_abuse_surveymonkey_suspicious_outbound.yml +++ b/detection-rules/service_abuse_surveymonkey_suspicious_outbound.yml @@ -13,15 +13,12 @@ source: | "mimecast.com", "mimecastprotect.com" ) - and any(.links[0].href_url.query_params_decoded['domain'], - strings.parse_domain(.).domain in $tenant_domains - or strings.parse_domain(.).domain in ( - "surveymonkey.com", - ) + and any(.links[0].href_url.query_params_decoded['domain'], + strings.parse_domain(.).domain in $tenant_domains + or strings.parse_domain(.).domain in ("surveymonkey.com", ) ) ) ) - attack_types: - "Credential Phishing" tactics_and_techniques: