Service abuse: AppSheet infrastructure with suspicious indicators

Identifies messages that resemble credential theft, originating from AppSheet. AppSheet infrastrcture abuse has been observed recently to send phishing attacks.

Sublime rule (View on GitHub)

 1name: "Service abuse: AppSheet infrastructure with suspicious indicators"
 2description: "Identifies messages that resemble credential theft, originating from AppSheet. AppSheet infrastrcture abuse has been observed recently to send phishing attacks."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.email == "noreply@appsheet.com"
 8  and (
 9    // recently registered or suspicious links
10    (
11      any(filter(body.links, .href_url.domain.root_domain != "appsheet.com"),
12          network.whois(.href_url.domain).days_old <= 10
13          or .href_url.domain.root_domain in $free_file_hosts
14          or .href_url.domain.domain in $free_subdomain_hosts
15          or .href_url.domain.root_domain in $url_shorteners
16          // account for URL rewrites
17          or (
18            any(.href_url.query_params_decoded['domain'],
19                (
20                  . in $url_shorteners
21                  or . in $free_subdomain_hosts
22                  or . in $free_file_hosts
23                )
24            )
25          )
26      )
27    )
28    // suspicious display name
29    or (
30      regex.icontains(sender.display_name,
31                      '(?:legal|misuse|compliance|violation|enforcement)',
32                      // unicode blank character confusables in display name
33                      '\x{00A0}|\x{1680}|\x{2000}|\x{200A}|\x{200B}|\x{202F}|\x{205F}|\x{3000}'
34      )
35      // commonly impersonated brands
36      or strings.ilike(strings.replace_confusables(sender.display_name),
37                       '*Apple*',
38                       '*Amazon*',
39                       '*Binance*',
40                       '*Facebook*',
41                       '*Meta*',
42                       '*Google*',
43                       '*LinkedIn*'
44      )
45    )
46    // suspicious pattern in body
47    or regex.icontains(body.current_thread.text,
48                       '(?:(Copyright|Advertising|Content|Data|Intellectual Property|I\.?\s?P\.?\b) (?:Polic(y|ies))|Violation|Contravention|Complaint|Misuse)|(?:(Enforce(ment)?|Required|Mandatory|Immediate) (?:Action|Response))|Cease (\&|and) Desist'
49    )
50    // NLU failsafe
51    or (
52      any(ml.nlu_classifier(body.current_thread.text).intents,
53          .name in~ ("cred_theft", "steal_pii", "job_scam")
54          and .confidence in~ ("medium", "high")
55      )
56      // negate the NLU result if there is only a single link leading back to AppSheet (likely benign)
57      and not (
58        length(body.links) == 1
59        and any(body.links,
60                .display_text == "Powered by AppSheet"
61                and .href_url.domain.root_domain == "appsheet.com"
62        )
63      )
64    )
65  )
66  // negate legitimate use of AppSheet within the org
67  and not (
68    length(headers.reply_to) is not null
69    and any(filter(headers.reply_to, .email.domain.root_domain != "appsheet.com"),
70            .email.domain.root_domain in~ $org_domains
71            or .email.domain.root_domain in~ $recipient_domains
72    )
73  )  
74
75attack_types:
76  - "Credential Phishing"
77tactics_and_techniques:
78  - "Evasion"
79  - "Social engineering"
80detection_methods:
81  - "Content analysis"
82  - "Natural Language Understanding"
83  - "URL analysis"
84  - "Whois"
85id: "5937646a-60b0-5b86-9df0-94c8d18aa774"
to-top