Spear phishing regex ideas

["Hall, Rand" <hallr () MERRIMACK EDU>]

A successful spear phishing campaign at a local institution got me playing
with a regex to alert on 3 types of domain name monkey business often seen
in targeted campaigns like those mentioned here
http://msisac.cisecurity.org/daily-tips/university-direct-deposit.cfm.

Links with no dot before the domain name:
http://www.my-company.com

Links with domain name crap after the domain name:
http://www.company.com-IT.com

Links that turn your domain into a subdomain:
https://www.company.com.index.ph

The following pretty much does the trick. Your users will do the darnedest
things with your domain name! You'll definitely want to monitor this for
false positive tuning...but I'm not getting many.

(?:(?:https?:\/\/)(?:[0-9a-z\.\-_\%]*?)(?:[^\.]))(?:(?:company\.com)|(?:(?:\.company\.com)(?:[^:\./\s\!\\?\>"]))|(?:(?:\.company\.com(?:[\.])(?:[^\s\/]))))



Rand

Rand P. Hall
Director, Network Services                 askIT!
Merrimack College
978-837-3532
rand.hall () merrimack edu

If I had an hour to save the world, I would spend 59 minutes defining the
problem and one minute finding solutions. - Einstein