Attachment: EML with link to credential phishing page
Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects.
Sublime rule (View on GitHub)
1name: "Attachment: EML with link to credential phishing page"
2description: |
3 Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and length(attachments) == 1
9 and any(attachments,
10 (.content_type == "message/rfc822" or .file_extension =~ "eml")
11
12 // identifies suspicious URLs in the attached EML
13 and any(file.parse_eml(.).body.links,
14 (
15 ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
16 and ml.link_analysis(., mode="aggressive").credphish.confidence in (
17 "medium",
18 "high"
19 )
20 )
21
22 // or any links in the final dom lead to a suspicious tld
23 or any(ml.link_analysis(.).final_dom.links,
24 .href_url.domain.tld in $suspicious_tlds
25 or ml.link_analysis(.href_url).effective_url.domain.tld in $suspicious_tlds
26 )
27
28 // link redirects to a suspicious TLD
29 or any(ml.link_analysis(., mode="aggressive").redirect_history,
30 .domain.tld in $suspicious_tlds
31 )
32 or (
33 // suspicious redirects
34 // 3 or more different domains with 2 or more different TLDs
35 // careful because click trackers will always make this at least 2
36 // different domains and not unlikely 2 or more TLDs
37 length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
38 .domain.tld
39 )
40 )
41 ) >= 2
42 and length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
43 .domain.domain
44 )
45 )
46 ) >= 3
47 )
48 )
49
50 // identifies other suspicious indicators
51 and (
52 // engaging language in the original body
53 any(ml.nlu_classifier(body.current_thread.text).entities,
54 .name == "request"
55 )
56
57 // // engaging language in the attached EML
58 or any(ml.nlu_classifier(file.parse_eml(.).body.current_thread.text).entities,
59 .name == "request"
60 )
61 // recipient SLD impersonated in the subject or display name
62 or any(recipients.to,
63 // ensure that we're checking the org SLD
64 .email.domain.sld in $org_slds
65 and (
66 strings.icontains(subject.subject, .email.domain.sld)
67 or strings.icontains(sender.display_name, .email.domain.sld)
68 )
69 )
70 // mismatched sender (From) and Reply-to + freemail
71 or any(headers.reply_to,
72 length(headers.reply_to) > 0
73 and all(headers.reply_to,
74 .email.domain.root_domain != sender.email.domain.root_domain
75 and .email.domain.root_domain in $free_email_providers
76 )
77 )
78 or any($suspicious_subjects, strings.icontains(subject.subject, .))
79 or regex.icontains(subject.subject,
80 "termination.*notice",
81 "38417",
82 ":completed",
83 "[il1]{2}mit.*ma[il1]{2} ?bo?x",
84 "[il][il][il]egai[ -]",
85 "[li][li][li]ega[li] attempt",
86 "[ng]-?[io]n .*block",
87 "[ng]-?[io]n .*cancel",
88 "[ng]-?[io]n .*deactiv",
89 "[ng]-?[io]n .*disabl",
90 "action.*required",
91 "abandon.*package",
92 "about.your.account",
93 "acc(ou)?n?t (is )?on ho[li]d",
94 "acc(ou)?n?t.*terminat",
95 "acc(oun)?t.*[il1]{2}mitation",
96 "access.*limitation",
97 "account (will be )?block",
98 "account.*de-?activat",
99 "account.*locked",
100 "account.*re-verification",
101 "account.*security",
102 "account.*suspension",
103 "account.has.been",
104 "account.has.expired",
105 "account.will.be.blocked",
106 "account v[il]o[li]at",
107 "activity.*acc(oun)?t",
108 "almost.full",
109 "app[li]e.[il]d",
110 "authenticate.*account",
111 "been.*suspend",
112 "clos.*of.*account.*processed",
113 "confirm.your.account",
114 "courier.*able",
115 "crediential.*notif",
116 "deactivation.*in.*progress",
117 "delivery.*attempt.*failed",
118 "document.received",
119 "documented.*shared.*with.*you",
120 "dropbox.*document",
121 "e-?ma[il1]+ .{010}suspen",
122 "e-?ma[il1]{1} user",
123 "e-?ma[il1]{2} acc",
124 "e-?ma[il1]{2}.*up.?grade",
125 "e.?ma[il1]{2}.*server",
126 "e.?ma[il1]{2}.*suspend",
127 "email.update",
128 "faxed you",
129 "fraud(ulent)?.*charge",
130 "from.helpdesk",
131 "fu[il1]{2}.*ma[il1]+[ -]?box",
132 "has.been.*suspended",
133 "has.been.limited",
134 "have.locked",
135 "he[li]p ?desk upgrade",
136 "heipdesk",
137 "i[il]iega[il]",
138 "ii[il]ega[il]",
139 "incoming e?mail",
140 "incoming.*fax",
141 "lock.*security",
142 "ma[il1]{1}[ -]?box.*quo",
143 "ma[il1]{2}[ -]?box.*fu[il1]",
144 "ma[il1]{2}box.*[il1]{2}mit",
145 "ma[il1]{2}box stor",
146 "mail on.?hold",
147 "mail.*box.*migration",
148 "mail.*de-?activat",
149 "mail.update.required",
150 "mails.*pending",
151 "messages.*pending",
152 "missed.*shipping.*notification",
153 "missed.shipment.notification",
154 "must.update.your.account",
155 "new [sl][io]g?[nig][ -]?in from",
156 "new voice ?-?mail",
157 "notifications.*pending",
158 "office.*3.*6.*5.*suspend",
159 "office365",
160 "on google docs with you",
161 "online doc",
162 "password.*compromised",
163 "periodic maintenance",
164 "potential(ly)? unauthorized",
165 "refund not approved",
166 "report",
167 "revised.*policy",
168 "scam",
169 "scanned.?invoice",
170 "secured?.update",
171 "security breach",
172 "securlty",
173 "signed.*delivery",
174 "status of your .{314}? ?delivery",
175 "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
176 "suspicious.*sign.*[io]n",
177 "suspicious.activit",
178 "temporar(il)?y deactivate",
179 "temporar[il1]{2}y disab[li]ed",
180 "temporarily.*lock",
181 "un-?usua[li].activity",
182 "unable.*deliver",
183 "unauthorized.*activit",
184 "unauthorized.device",
185 "undelivered message",
186 "unread.*doc",
187 "unusual.activity",
188 "upgrade.*account",
189 "upgrade.notice",
190 "urgent message",
191 "urgent.verification",
192 "v[il1]o[li1]at[il1]on security",
193 "va[il1]{1}date.*ma[il1]{2}[ -]?box",
194 "verification ?-?require",
195 "verification( )?-?need",
196 "verify.your?.account",
197 "web ?-?ma[il1]{2}",
198 "web[ -]?ma[il1]{2}",
199 "will.be.suspended",
200 "your (customer )?account .as",
201 "your.office.365",
202 "your.online.access",
203 )
204 )
205 )
206 // exclude bounce backs & read receipts
207 and not strings.ilike(sender.email.local_part,
208 "*postmaster*",
209 "*mailer-daemon*",
210 "*administrator*"
211 )
212 // exclude optonline deprecated mailbox returns
213 and (
214 not strings.starts_with(sender.display_name, "Auto-reply")
215 and sender.email.domain.root_domain == "optonline.net"
216 )
217 and not regex.icontains(subject.subject, "^(undeliverable|read:)")
218 and not any(attachments, .content_type == "message/delivery-status")
219 // if the "References" is in the body of the message, it's probably a bounce
220 and not any(headers.references, strings.contains(body.html.display_text, .))
221 and (
222 not profile.by_sender().solicited
223 or (
224 profile.by_sender().any_messages_malicious_or_spam
225 and not profile.by_sender().any_false_positives
226 )
227 )
228 and not profile.by_sender().any_false_positives
229
230attack_types:
231 - "Credential Phishing"
232tactics_and_techniques:
233 - "Evasion"
234 - "Free file host"
235 - "Free subdomain host"
236 - "Social engineering"
237detection_methods:
238 - "Computer Vision"
239 - "Content analysis"
240 - "File analysis"
241 - "Header analysis"
242 - "HTML analysis"
243 - "Natural Language Understanding"
244 - "Optical Character Recognition"
245 - "URL analysis"
246 - "URL screenshot"
247id: "1df41cca-369a-5bff-83cc-0f9ddf1ff007"