Adding social landing check where URL shortener checks exist

detection-rules/attachment_qr_code_suspicious_components.yml

@@ -72,6 +72,7 @@ source: |
 
                     // or the QR code's root domain is a url_shortener
                     .scan.qr.url.domain.root_domain in $url_shorteners
+                    or .scan.qr.url.domain.root_domain in $social_landing_hosts
                     and (
                       not (
                         any(ml.nlu_classifier(body.current_thread.text).intents,

detection-rules/attachment_rtf_file_with_suspicious_link.yml

@@ -28,6 +28,7 @@ source: |
                               or .domain.root_domain in $free_file_hosts
                               or .domain.root_domain in $free_subdomain_hosts
                               or .domain.root_domain in $url_shorteners
+                              or .domain.root_domain in $social_landing_hosts
                             )
                             // or the url contains the recipient email and the root_domain is not in tranco
                             or (

detection-rules/brand_impersonation_ms_planner.yml

@@ -12,6 +12,8 @@ source: |
               or .href_url.domain.root_domain in $free_file_hosts
               or .href_url.domain.root_domain in $free_subdomain_hosts
               or .href_url.domain.domain in $url_shorteners
+              or .href_url.domain.domain in $social_landing_hosts
+              or .href_url.domain.root_domain in $social_landing_hosts
               or 
 
               // mass mailer link, masks the actual URL

detection-rules/credential_phishing_corporate_services_impersonation_with_suspicious_link.yml

@@ -77,6 +77,7 @@ source: |
             or .href_url.domain.root_domain in $free_file_hosts
             or .href_url.domain.root_domain in $free_subdomain_hosts
             or .href_url.domain.domain in $url_shorteners
+            or .href_url.domain.domain in $social_landing_hosts
           )
           or 
           // or mass mailer link, masks the actual URL

detection-rules/govdelivery_compromise.yml

@@ -24,7 +24,9 @@ source: |
               ),
               // this is inside the filtered results to avoid flagging this condition on known link domains, as listed above
               strings.parse_url(.named_groups["url"]).domain.domain in $url_shorteners
+              or strings.parse_url(.named_groups["url"]).domain.domain in $social_landing_hosts
               or strings.parse_url(.named_groups["url"]).domain.root_domain in $url_shorteners
+              or strings.parse_url(.named_groups["url"]).domain.root_domain in $social_landing_hosts
               or strings.parse_url(.named_groups["url"]).domain.domain in $free_subdomain_hosts
               or strings.parse_url(.named_groups["url"]).domain.root_domain in $free_subdomain_hosts
               or network.whois(strings.parse_url(.named_groups["url"]).domain).days_old < 30

detection-rules/link_autodownloaded_html_smuggling.yml

@@ -11,6 +11,7 @@ source: |
              or .href_url.domain.root_domain in $free_file_hosts
              or .href_url.domain.root_domain in $free_subdomain_hosts
              or .href_url.domain.domain in $url_shorteners
+             or .href_url.domain.domain in $social_landing_hosts
              or 
 
              // mass mailer link, masks the actual URL

detection-rules/link_coinbase_low_rep_or_shortened.yml

@@ -16,6 +16,7 @@ source: |
   // low rep or url shortened links found
   and any(body.links,
           .href_url.domain.domain in $url_shorteners
+          or .href_url.domain.domain in $social_landing_hosts
 
           // exempting legitimate Google Maps shortener
           and (
@@ -26,6 +27,7 @@ source: |
               or .href_url.domain.root_domain in $free_file_hosts
               or .href_url.domain.root_domain in $free_subdomain_hosts
               or .href_url.domain.domain in $url_shorteners
+              or .href_url.domain.domain in $social_landing_hosts
               or 
 
               // mass mailer link, masks the actual URL

detection-rules/link_credential_phishing_intent_and_other_indicators.yml

@@ -392,7 +392,9 @@ source: |
           )
           and (
             .href_url.domain.domain in $url_shorteners
+            or .href_url.domain.domain in $social_landing_hosts
             or .href_url.domain.root_domain in $url_shorteners
+            or .href_url.domain.root_domain in $social_landing_hosts
             or .href_url.domain.domain in $free_file_hosts
             or (
               .href_url.domain.root_domain in (
@@ -404,6 +406,8 @@ source: |
                       or strings.parse_url(strings.concat("https://", .)).domain.root_domain in $url_shorteners
                       or strings.parse_url(strings.concat("https://", .)).domain.domain in $free_file_hosts
                       or strings.parse_url(strings.concat("https://", .)).domain.root_domain in $free_subdomain_hosts
+                      or strings.parse_url(strings.concat("https://", .)).domain.domain in $social_landing_hosts
+                      or strings.parse_url(strings.concat("https://", .)).domain.root_domain in $social_landing_hosts
               )
             )
           )

detection-rules/link_google_presentation_open_redirect.yml

@@ -55,6 +55,7 @@ source: |
                         or .href_url.domain.root_domain in $free_subdomain_hosts
                         // or it's a url shortner
                         or .href_url.domain.root_domain in $url_shorteners
+                        or .href_url.domain.root_domain in $social_landing_hosts
                       )
                       // which have been "unrolled" by the google_open_redirect rule
                       and any(.href_url.rewrite.encoders,

detection-rules/link_microsoft_low_reputation.yml

@@ -13,6 +13,7 @@ source: |
            or .href_url.domain.root_domain in $free_file_hosts
            or .href_url.domain.root_domain in $free_subdomain_hosts
            or .href_url.domain.domain in $url_shorteners
+           or .href_url.domain.domain in $social_landing_hosts
            or 
 
            // mass mailer link, masks the actual URL

detection-rules/link_multistage_adobe_express.yml

@@ -49,7 +49,9 @@ source: |
                     )
                     // go to url shortners
                     or .href_url.domain.root_domain in $url_shorteners
+                    or .href_url.domain.root_domain in $social_landing_hosts
                     or .href_url.domain.domain in $url_shorteners
+                    or .href_url.domain.domain in $social_landing_hosts
                     or (
                       // find any links that mention common "action" words
                       regex.icontains(.display_text,

detection-rules/link_multistage_docusign.yml

@@ -57,7 +57,9 @@ source: |
                 )
                 // go to url shortners
                 or .href_url.domain.root_domain in $url_shorteners
+                or .href_url.domain.root_domain in $social_landing_hosts
                 or .href_url.domain.domain in $url_shorteners
+                or .href_url.domain.domain in $social_landing_hosts
                 or (
                   // find any links that mention common "action" words
                   regex.icontains(.display_text,

detection-rules/link_multistage_frame_io.yml

@@ -116,7 +116,9 @@ source: |
                  )
                  // go to url shortners
                  or .href_url.domain.root_domain in $url_shorteners
+                 or .href_url.domain.root_domain in $social_landing_hosts
                  or .href_url.domain.domain in $url_shorteners
+                 or .href_url.domain.domain in $social_landing_hosts
                  or (
                    // find any links that mention common "action" words
                    regex.icontains(subject.subject,

detection-rules/link_multistage_google_drive.yml

@@ -103,7 +103,9 @@ source: |
                               or strings.parse_url(.).domain.domain in $free_file_hosts
                               or strings.parse_url(.).domain.root_domain in $free_file_hosts
                               or strings.parse_url(.).domain.domain in $url_shorteners
+                              or strings.parse_url(.).domain.domain in $social_landing_hosts
                               or strings.parse_url(.).domain.root_domain in $url_shorteners
+                              or strings.parse_url(.).domain.root_domain in $social_landing_hosts
                           )
                       )
                   )
@@ -131,7 +133,9 @@ source: |
                     )
                     // go to url shortners
                     or .href_url.domain.root_domain in $url_shorteners
+                    or .href_url.domain.root_domain in $social_landing_hosts
                     or .href_url.domain.domain in $url_shorteners
+                    or .href_url.domain.domain in $social_landing_hosts
                     or (
                       // find any links that mention common "action" words
                       regex.icontains(.display_text,

detection-rules/link_published_google_doc.yml

@@ -47,7 +47,9 @@ source: |
                     )
                     // go to url shortners
                     or .href_url.domain.root_domain in $url_shorteners
+                    or .href_url.domain.root_domain in $social_landing_hosts
                     or .href_url.domain.domain in $url_shorteners
+                    or .href_url.domain.domain in $social_landing_hosts
 
                     // go to suspicious TLDs
                     or .href_url.domain.tld in $suspicious_tlds
@@ -65,7 +67,9 @@ source: |
                              and .href_url.domain.subdomain != "www"
                            )
                            or .href_url.domain.root_domain in $url_shorteners
+                           or .href_url.domain.root_domain in $social_landing_hosts
                            or .href_url.domain.domain in $url_shorteners
+                           or .href_url.domain.domain in $social_landing_hosts
 
                            // go to suspicious TLDs
                            or .href_url.domain.tld in $suspicious_tlds

detection-rules/link_quickbooks_image_lure_suspicious_link.yml

@@ -35,6 +35,7 @@ source: |
             or .href_url.domain.root_domain in $free_file_hosts
             or .href_url.domain.root_domain in $free_subdomain_hosts
             or .href_url.domain.domain in $url_shorteners
+            or .href_url.domain.domain in $social_landing_hosts
             or 
 
             // mass mailer link, masks the actual URL

detection-rules/spam_url_shortener_emojis.yml

@@ -10,7 +10,7 @@ source: |
   and sender.email.domain.root_domain in $free_email_providers
 
   // has a URL shortener
-  and any(body.links, .href_url.domain.root_domain in $url_shorteners)
+  and any(body.links, .href_url.domain.root_domain in $url_shorteners or .href_url.domain.root_domain in $social_landing_hosts)
 
   // short body, basically just the URL
   and length(body.plain.raw) < 100

detection-rules/spoofable_internal_domain_suspicious_signals.yml

@@ -37,6 +37,7 @@ source: |
             or .href_url.domain.root_domain in $free_file_hosts
             or .href_url.domain.root_domain in $free_subdomain_hosts
             or .href_url.domain.domain in $url_shorteners
+            or .href_url.domain.domain in $social_landing_hosts
           )
       )
     ),