Attachment: Fake secure message and suspicious indicators

Body contains language resembling credential theft, and an attached "secure message" from an untrusted sender.

Sublime rule (View on GitHub)

 1name: "Attachment: Fake secure message and suspicious indicators"
 2description: 'Body contains language resembling credential theft, and an attached "secure message" from an untrusted sender.'
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(ml.nlu_classifier(body.current_thread.text).intents,
 8          .name == "cred_theft" and .confidence == "high"
 9  )
10  
11  // ----- other suspicious signals here -----
12  and any(attachments,
13          any(file.explode(.),
14              any(.scan.strings.strings, strings.icontains(., "secure message"))
15              and (
16                any(.scan.url.urls, .domain.tld in $suspicious_tlds)
17                or any(.scan.url.urls,
18                       any(.rewrite.encoders,
19                           strings.icontains(., "open_redirect")
20                       )
21                )
22              )
23              and (
24                any(.scan.url.urls,
25                    .domain.root_domain != sender.email.domain.root_domain
26                )
27                or not sender.email.domain.valid
28              )
29          )
30  )
31  
32  // negate legitimate message senders
33  and (
34    (
35      sender.email.domain.root_domain not in ("protectedtrust.com")
36      or not sender.email.domain.valid
37    )
38    and any(headers.hops,
39            .index == 0
40            and not any(.fields,
41                        strings.contains(.value,
42                                         'multipart/mixed; boundary="PROOFPOINT_BOUNDARY_1"'
43                        )
44            )
45    )
46    and not (
47      any(headers.hops, any(.fields, .name == 'X-ZixNet'))
48      and any(headers.domains,
49              .root_domain in ("zixport.com", "zixcorp.com", "zixmail.net")
50      )
51    )
52    and not all(body.links,
53              .href_url.domain.root_domain in ("mimecast.com", "cisco.com")
54    )
55  )
56  and (
57    (
58      profile.by_sender().prevalence in ("new", "outlier")
59      and not profile.by_sender().solicited
60    )
61    or (
62      profile.by_sender().any_messages_malicious_or_spam
63      and not profile.by_sender().any_false_positives
64    )
65  )
66  and not profile.by_sender().any_false_positives
67  
68  // negate highly trusted sender domains unless they fail DMARC authentication
69  and (
70    (
71      sender.email.domain.root_domain in $high_trust_sender_root_domains
72      and not headers.auth_summary.dmarc.pass
73    )
74    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
75  )  
76
77attack_types:
78  - "Credential Phishing"
79tactics_and_techniques:
80  - "Image as content"
81  - "Impersonation: Brand"
82  - "Social engineering"
83detection_methods:
84  - "Content analysis"
85  - "File analysis"
86  - "Header analysis"
87  - "Natural Language Understanding"
88  - "Sender analysis"
89id: "20a34d94-61b7-5f8c-8070-47edce70e5de"
to-top