Attachment: Fake secure message and suspicious indicators
Body contains language resembling credential theft, and an attached "secure message" from an untrusted sender.
Sublime rule (View on GitHub)
1name: "Attachment: Fake secure message and suspicious indicators"
2description: 'Body contains language resembling credential theft, and an attached "secure message" from an untrusted sender.'
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(ml.nlu_classifier(body.current_thread.text).intents,
8 .name == "cred_theft" and .confidence == "high"
9 )
10
11 // ----- other suspicious signals here -----
12 and any(attachments,
13 any(file.explode(.),
14 any(.scan.strings.strings, strings.icontains(., "secure message"))
15 and (
16 any(.scan.url.urls, .domain.tld in $suspicious_tlds)
17 or any(.scan.url.urls,
18 any(.rewrite.encoders,
19 strings.icontains(., "open_redirect")
20 )
21 )
22 )
23 and (
24 any(.scan.url.urls,
25 .domain.root_domain != sender.email.domain.root_domain
26 )
27 or not sender.email.domain.valid
28 )
29 )
30 )
31
32 // negate legitimate message senders
33 and (
34 (
35 sender.email.domain.root_domain not in ("protectedtrust.com")
36 or not sender.email.domain.valid
37 )
38 and any(headers.hops,
39 .index == 0
40 and not any(.fields,
41 strings.contains(.value,
42 'multipart/mixed; boundary="PROOFPOINT_BOUNDARY_1"'
43 )
44 )
45 )
46 and not (
47 any(headers.hops, any(.fields, .name == 'X-ZixNet'))
48 and any(headers.domains,
49 .root_domain in ("zixport.com", "zixcorp.com", "zixmail.net")
50 )
51 )
52 and not all(body.links,
53 .href_url.domain.root_domain in ("mimecast.com", "cisco.com")
54 )
55 )
56 and (
57 (
58 profile.by_sender().prevalence in ("new", "outlier")
59 and not profile.by_sender().solicited
60 )
61 or (
62 profile.by_sender().any_messages_malicious_or_spam
63 and not profile.by_sender().any_false_positives
64 )
65 )
66 and not profile.by_sender().any_false_positives
67
68 // negate highly trusted sender domains unless they fail DMARC authentication
69 and (
70 (
71 sender.email.domain.root_domain in $high_trust_sender_root_domains
72 and not headers.auth_summary.dmarc.pass
73 )
74 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
75 )
76
77attack_types:
78 - "Credential Phishing"
79tactics_and_techniques:
80 - "Image as content"
81 - "Impersonation: Brand"
82 - "Social engineering"
83detection_methods:
84 - "Content analysis"
85 - "File analysis"
86 - "Header analysis"
87 - "Natural Language Understanding"
88 - "Sender analysis"
89id: "20a34d94-61b7-5f8c-8070-47edce70e5de"