Attachment: Fake secure message and suspicious indicators

calendar May 2, 2024  ยท
Share on: linkedin copy

Body contains language resembling credential theft, and an attached "secure message" from an untrusted sender.

Sublime rule (View on GitHub)

 1name: "Attachment: Fake secure message and suspicious indicators"
 2description: 'Body contains language resembling credential theft, and an attached "secure message" from an untrusted sender.'
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(ml.nlu_classifier(body.current_thread.text).intents,
 8          .name == "cred_theft" and .confidence == "high"
 9  )
10  
11  // ----- other suspicious signals here -----
12  and any(attachments,
13          any(file.explode(.),
14              any(.scan.strings.strings, strings.icontains(., "secure message"))
15              and (
16                any(.scan.url.urls, .domain.tld in $suspicious_tlds)
17                or any(.scan.url.urls,
18                       any(.rewrite.encoders,
19                           strings.icontains(., "open_redirect")
20                       )
21                )
22              )
23              and (
24                any(.scan.url.urls,
25                    .domain.root_domain != sender.email.domain.root_domain
26                )
27                or not sender.email.domain.valid
28              )
29          )
30  )
31  
32  // negate legitimate message senders
33  and (
34    (
35      sender.email.domain.root_domain not in ("protectedtrust.com")
36      or not sender.email.domain.valid
37    )
38    and any(headers.hops,
39            .index == 0
40            and not any(.fields,
41                        strings.contains(.value,
42                                         'multipart/mixed; boundary="PROOFPOINT_BOUNDARY_1"'
43                        )
44            )
45    )
46    and not (
47      any(headers.hops, any(.fields, .name == 'X-ZixNet'))
48      and any(headers.domains,
49              .root_domain in ("zixport.com", "zixcorp.com", "zixmail.net")
50      )
51    )
52  )
53  and (
54    (
55      profile.by_sender().prevalence in ("new", "outlier")
56      and not profile.by_sender().solicited
57    )
58    or (
59      profile.by_sender().any_messages_malicious_or_spam
60      and not profile.by_sender().any_false_positives
61    )
62  )
63  and not profile.by_sender().any_false_positives
64  
65  // negate highly trusted sender domains unless they fail DMARC authentication
66  and (
67    (
68      sender.email.domain.root_domain in $high_trust_sender_root_domains
69      and not headers.auth_summary.dmarc.pass
70    )
71    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
72  )  
73
74attack_types:
75  - "Credential Phishing"
76tactics_and_techniques:
77  - "Image as content"
78  - "Impersonation: Brand"
79  - "Social engineering"
80detection_methods:
81  - "Content analysis"
82  - "File analysis"
83  - "Header analysis"
84  - "Natural Language Understanding"
85  - "Sender analysis"
86id: "20a34d94-61b7-5f8c-8070-47edce70e5de"
to-top