Hello Phish!

title: Hello Phish! description: | Phishing sites often use domains containing the brand name they're impersonating. Let's find a phishing site where the domain contains "stripe" level: potentially_malicious # The `detection` section of an IOK rule is where you write your detection logic detection: # Within this section, you can write multiple properties. # These properties can be named anything you like. # # For now, we'll just use a single property called "containsStripe" containsStripe: # There are many aspects of a website you can write IOK rules based on. # Here we'll use the `hostname` field. # Replace the emoji with "stripe" and click the button on the right # to check if your rule matches the phishing site. hostname|contains: '🤔' # All rules need a `condition`. # This defines what combination of properties mean the rule matches a site. # For now, our condition is simply: # this rule matches a site if the "containsStripe" property is true condition: containsStripe

Rule matches

Quick Reference

IOK rules allow you to detect (potential/likely/confirmed) phishing sites by matching on various properties of the website like the text on the page, the cookies set, and the filenames of the assets loaded.

Fields

  • Hostname
    hostname
    Type
    string
    Description

    The hostname of the site.

    e.g. www.phish.domain

  • Title
    title
    Type
    string list
    Description

    The title of the site as shown in a browser. If multiple titles are set (e.g. by JavaScript), this contains all of them.

    e.g. Login | My Bank

  • HTML
    html
    Type
    string
    Description

    The contents of the page HTML (as returned by the server).

    e.g. <html><head>....</html>

  • DOM
    dom
    Type
    string
    Description

    The contents of the page HTML after loading (e.g. after javascript has executed and modified the page).

    e.g. <html><head>....</html>

  • JS
    js
    Type
    string list
    Description

    Contents of JavaScript from the page (includes inline scripts as well as scripts loaded externally).

    e.g. !function(e,t){"object"==typeof module&&

  • CSS
    css
    Type
    string list
    Description

    Contents of CSS from the page (includes inline stylesheets as well as externally loaded stylesheets)

    e.g. .redTitle {color: red;}

  • Cookies
    cookies
    Type
    string list
    Description

    Cookies from the page. Each is in the form cookieName=value

    e.g. PHPSESSID=el4ukv0kqbvoirg7nkp4dncpk3

  • Headers
    headers
    Type
    string list
    Description

    Headers sent by the server. Each is in the form Header-Name: value

    e.g. X-Powered-By: PHP/7.4.33

  • Requests
    requests
    Type
    string list
    Description

    URLs of requests made by the page (and assets loaded by the page).

    e.g. https://www.phish.domain/css/style.css

title: Example rule
description: |
    This should describe what the rule detects.
    You can use markdown syntax

# The level setting determines whether you'll be alerted
# about matches or if this site is just monitored for changes
level: likely_malicious

# This is where your rule logic lives
# It is formed of a set of properties and a condition
detection:
    propertyOne:
        html|contains: "a string"

    propertyTwo:
        requests|endswith: "/logo.png"

    # The condition combines the properties using and/or/not
    condition: propertyOne and not propertyTwo

Modifiers

  • contains
    contains
    Description

    True if the field contains the string.

  • startswith
    startswith
    Description

    True if the field starts with the string.

  • endswith
    endswith
    Description

    True if the field ends with the string.

  • all
    all
    Description

    Requires this matches all provided values, not just one.