# config/suspicious_rules.yaml # Baseline suspicious rules for SneakyScope # Organized by category: script, form, text # Extend these with more specific rules as needed # --- Script Rules --- - name: eval_usage description: "Use of eval() in script" category: script type: regex pattern: "\\beval\\(" - name: document_write description: "Use of document.write (often abused in malicious injections)" category: script type: regex pattern: "document\\.write\\(" - name: inline_event_handler description: "Inline event handler detected (onload, onclick, etc.)" category: script type: regex pattern: "on(load|click|error|mouseover|keydown)\\s*=" - name: obfuscated_encoding description: "Suspicious use of atob() or btoa() (base64 encoding/decoding)" category: script type: regex pattern: "\\b(atob|btoa)\\(" - name: suspicious_iframe description: "Iframe usage in script (possible phishing/malvertising)" category: script type: regex pattern: "]*>" # --- Form Rules --- - name: suspicious_form_action description: "Form action with external URL (potential credential exfiltration)" category: form type: regex pattern: "]*action=['\"]http" - name: hidden_inputs description: "Form with hidden inputs (possible credential harvesting)" category: form type: regex pattern: "]*type=['\"]hidden" - name: password_field description: "Form requesting password field" category: form type: regex pattern: "]*type=['\"]password" # --- Text Rules (Social Engineering / BEC) --- - name: urgent_request description: "Language suggesting urgency (common in phishing/BEC)" category: text type: regex pattern: "(urgent|immediately|asap|action required)" - name: account_suspension description: "Threat of account suspension/closure" category: text type: regex pattern: "(account.*suspend|account.*close|verify.*account)" - name: financial_request description: "Request for gift cards, wire transfer, or money" category: text type: regex pattern: "(gift card|wire transfer|bank account|bitcoin|payment required)" - name: credential_reset description: "Password reset or credential reset wording" category: text type: regex pattern: "(reset password|update credentials|login to verify)"