Phishing detection rule recipes

Most brand impersonation can be detected with the same basic set of IOK rules. This page gives you a set of recipes you can adapt to your own needs.

Discovery rules

You can't scan every single site on the internet. These discovery rules help identify potentially malicious sites which should be investigated further. For example, submitted for a full scan to check them for known phishing kits.

Monitoring domains containing your brand name

title: brand-keywords
description: Monitor domains containing "brand"
level: monitored

detection:
  containsBrandname:
    hostname|contains:
        - "brand"
        - "brand2"
        
  condition: containsBrandname

Getting alerted to sites with the same title as your login page

Phishing sites will commonly use exactly the same title as your login page (either intentionally to make them more believable, or unintentionally as part of the cloning process).

title: login-title
description: Page has the same title as Brand's login page
level: likely_malicious

detection:
  loginTitle:
    title: "Login | Brand"
    
  realDomain:
    hostname|subdomain: brand.com
    
  condition: loginTitle and not realDomain

Find sites hotlinking assets from your login page

Poorly constructed phishing sites will often still load assets (e.g. your logo) from your actual website.

title: hotlinked-assets
description: Page hotlinks assets from Brand's login page
level: likely_malicious

detection:
  hotlinkedAsset:
    requests|startswith:
      - "https://brand.com/static/"
      - "https://brand.com/login/assets/"

  realDomain:
    hostname|subdomain: brand.com

  condition: hotlinkedAsset and not realDomain

Identifying specific phishing kits

Phishing sites loading distinctive filenames

Your real website often loads files named like styles.1cc93f3a.css where the middle component references the deployed version. When you make a change to your website, this version changes. However, phishing sites cloned from your website will still be using their copied version of your assets with the original filename.

title: kit-1cc93f3a
description: Page loads a distinctive filename associated with a previous clone of Brand's login page
level: likely_malicious

detection:
  distinctiveFilename:
    requests|endswith:
      - "/styles.1cc93f3a.css"

  condition: distinctiveFilename

Read more about detecting sites using hashes in filenames.

On this page