Attachment: Fake secure message and suspicious indicators
Body contains language resembling credential theft, and an attached "secure message" from an untrusted sender.
Sublime rule (View on GitHub)
1name: "Attachment: Fake secure message and suspicious indicators"
2description: 'Body contains language resembling credential theft, and an attached "secure message" from an untrusted sender.'
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(ml.nlu_classifier(body.current_thread.text).intents,
8 .name == "cred_theft" and .confidence == "high"
9 )
10
11 // ----- other suspicious signals here -----
12 and any(attachments,
13 any(file.explode(.),
14 any(.scan.strings.strings, strings.icontains(., "secure message"))
15 and (
16 any(.scan.url.urls, .domain.tld in $suspicious_tlds)
17 or any(.scan.url.urls,
18 any(.rewrite.encoders,
19 strings.icontains(., "open_redirect")
20 )
21 )
22 )
23 and (
24 any(.scan.url.urls,
25 .domain.root_domain != sender.email.domain.root_domain
26 )
27 or not sender.email.domain.valid
28 )
29 )
30 )
31
32 // negate legitimate message senders
33 and (
34 (
35 sender.email.domain.root_domain not in ("protectedtrust.com")
36 or not sender.email.domain.valid
37 )
38 and any(headers.hops,
39 .index == 0
40 and not any(.fields,
41 strings.contains(.value,
42 'multipart/mixed; boundary="PROOFPOINT_BOUNDARY_1"'
43 )
44 )
45 )
46 and not (
47 any(headers.hops, any(.fields, .name == 'X-ZixNet'))
48 and any(headers.domains,
49 .root_domain in ("zixport.com", "zixcorp.com", "zixmail.net")
50 )
51 )
52 )
53 and (
54 (
55 profile.by_sender().prevalence in ("new", "outlier")
56 and not profile.by_sender().solicited
57 )
58 or (
59 profile.by_sender().any_messages_malicious_or_spam
60 and not profile.by_sender().any_false_positives
61 )
62 )
63 and not profile.by_sender().any_false_positives
64
65 // negate highly trusted sender domains unless they fail DMARC authentication
66 and (
67 (
68 sender.email.domain.root_domain in $high_trust_sender_root_domains
69 and not headers.auth_summary.dmarc.pass
70 )
71 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
72 )
73
74attack_types:
75 - "Credential Phishing"
76tactics_and_techniques:
77 - "Image as content"
78 - "Impersonation: Brand"
79 - "Social engineering"
80detection_methods:
81 - "Content analysis"
82 - "File analysis"
83 - "Header analysis"
84 - "Natural Language Understanding"
85 - "Sender analysis"
86id: "20a34d94-61b7-5f8c-8070-47edce70e5de"