Sync from PR#2002

Create mismatched_display_url_suspicious_href_tld.yml by @morriscode
#2002
Source SHA 39811f0
Triggered by @morriscode

detection-rules/mismatched_display_url_suspicious_href_tld.yml

@@ -0,0 +1,30 @@
+name: "Display url mismatch leading to suspicious TLD"
+description: "This rule detects messages that do not original from a suspicious TLD, but contain a link mismatch where the destination url is a suspicious tld. "
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and 0 < length(body.links) < 30
+  and not any([subject.subject, sender.display_name],
+            regex.icontains(., '(а|е|и|о|у)')
+    )
+  and sender.email.domain.tld not in $suspicious_tlds
+  and any(body.links,
+          not strings.contains(.display_url.url, "@")
+          and .display_url.domain.tld not in $suspicious_tlds
+          and .mismatched
+          and .href_url.domain.tld in $suspicious_tlds
+          and not .href_url.domain.root_domain == "avanan.click"
+          and not .href_url.domain.root_domain == "emailprotection.link"
+          and not .display_url.url =~ "chownow.com"
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "Content analysis"
+  - "URL analysis"
+id: "07b13707-92c5-599a-b6da-1cb2d26dab14"
+testing_pr: 2002
+testing_sha: 39811f04a215f2b8d0ca06bfaf1c543bd0559e0c