We have download and deploy the “phishing_lua” parser, “mismatched href header” rule, and “Phishing Profile” report
phishing_lua will register risk.warning "href host doesn't match displayed host"
Specifically, if an email contains an href for which displayed text is a url and the host portion of the displayed url doesn't match the host portion of the href then the above meta will be registered. For hostnames, only the domain is compared; for addresses, the entire address is compared.
Thank you for response
We are getting 1000s of events under the risk.warning "href host doesn't match displayed host", Can you please suggest how we can grill down to find the exact event eliminating the genuine's
Retrieving data ...