From edbbf7beacdfc71ba92974650f64f93973ee9688 Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Thu, 31 Jul 2025 22:52:18 -0500
Subject: [PATCH 1/2] Create link_single_riddle.yml

---
 detection-rules/link_single_riddle.yml | 33 ++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 detection-rules/link_single_riddle.yml

diff --git a/detection-rules/link_single_riddle.yml b/detection-rules/link_single_riddle.yml
new file mode 100644
index 00000000000..2736b5a179f
--- /dev/null
+++ b/detection-rules/link_single_riddle.yml
@@ -0,0 +1,33 @@
+name: "Link: Direct link to riddle.com hosted showcase"
+description: "Message contains a single link to a Riddle.com hosted showcase which has been observed abused for credential phishing landing"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(body.links,
+          .href_url.domain.root_domain == "riddle.com"
+  )
+  and length(filter(body.links,
+                    .href_url.domain.root_domain == "riddle.com"
+                    and strings.istarts_with(.href_url.path, '/view/')
+             )
+  ) == 1
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+  and not profile.by_sender_email().any_messages_benign
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Free file host"
+detection_methods:
+  - "Sender analysis"
+  - "URL analysis"
+  - "Header analysis"

From 7351bf8cfbdc00faa95da59cb82790ee96e2e434 Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Fri, 1 Aug 2025 03:53:53 +0000
Subject: [PATCH 2/2] Auto add rule ID

---
 detection-rules/link_single_riddle.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/link_single_riddle.yml b/detection-rules/link_single_riddle.yml
index 2736b5a179f..f74e40845d6 100644
--- a/detection-rules/link_single_riddle.yml
+++ b/detection-rules/link_single_riddle.yml
@@ -31,3 +31,4 @@ detection_methods:
   - "Sender analysis"
   - "URL analysis"
   - "Header analysis"
+id: "cca7d2f5-421f-5421-ae13-da5588c15c8b"