Attachment: EML with link to credential phishing page
Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects.
Sublime rule (View on GitHub)
1name: "Attachment: EML with link to credential phishing page"
2description: |
3 Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and length(attachments) == 1
9 and any(attachments,
10 (.content_type == "message/rfc822" or .file_extension =~ "eml")
11
12 // identifies suspicious URLs in the attached EML
13 and any(file.parse_eml(.).body.links,
14 (
15 ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
16 and ml.link_analysis(., mode="aggressive").credphish.confidence in (
17 "medium",
18 "high"
19 )
20 )
21
22 // or any links in the final dom lead to a suspicious tld
23 or any(ml.link_analysis(.).final_dom.links,
24 .href_url.domain.tld in $suspicious_tlds
25 or ml.link_analysis(.href_url).effective_url.domain.tld in $suspicious_tlds
26 )
27
28 // link redirects to a suspicious TLD
29 or any(ml.link_analysis(., mode="aggressive").redirect_history,
30 .domain.tld in $suspicious_tlds
31 )
32 or (
33 // suspicious redirects
34 // 3 or more different domains with 2 or more different TLDs
35 // careful because click trackers will always make this at least 2
36 // different domains and not unlikely 2 or more TLDs
37 length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
38 .domain.tld
39 )
40 )
41 ) >= 2
42 and length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
43 .domain.domain
44 )
45 )
46 ) >= 3
47 )
48 )
49
50 // identifies other suspicious indicators
51 and (
52 // engaging language in the original body
53 any(ml.nlu_classifier(body.current_thread.text).entities,
54 .name == "request"
55 )
56
57 // // engaging language in the attached EML
58 or any(ml.nlu_classifier(file.parse_eml(.).body.current_thread.text).entities,
59 .name == "request"
60 )
61 // recipient SLD impersonated in the subject or display name
62 or any(recipients.to,
63 // ensure that we're checking the org SLD
64 .email.domain.sld in $org_slds
65 and (
66 strings.icontains(subject.subject, .email.domain.sld)
67 or strings.icontains(sender.display_name, .email.domain.sld)
68 )
69 )
70 // mismatched sender (From) and Reply-to + freemail
71 or any(headers.reply_to,
72 length(headers.reply_to) > 0
73 and all(headers.reply_to,
74 .email.domain.root_domain != sender.email.domain.root_domain
75 and .email.domain.root_domain in $free_email_providers
76 )
77 )
78 or any($suspicious_subjects, strings.icontains(subject.subject, .))
79 or regex.icontains(subject.subject,
80 "termination.*notice",
81 "38417",
82 ":completed",
83 "[il1]{2}mit.*ma[il1]{2} ?bo?x",
84 "[il][il][il]egai[ -]",
85 "[li][li][li]ega[li] attempt",
86 "[ng]-?[io]n .*block",
87 "[ng]-?[io]n .*cancel",
88 "[ng]-?[io]n .*deactiv",
89 "[ng]-?[io]n .*disabl",
90 "action.*required",
91 "abandon.*package",
92 "about.your.account",
93 "acc(ou)?n?t (is )?on ho[li]d",
94 "acc(ou)?n?t.*terminat",
95 "acc(oun)?t.*[il1]{2}mitation",
96 "access.*limitation",
97 "account (will be )?block",
98 "account.*de-?activat",
99 "account.*locked",
100 "account.*re-verification",
101 "account.*security",
102 "account.*suspension",
103 "account.has.been",
104 "account.has.expired",
105 "account.will.be.blocked",
106 "account v[il]o[li]at",
107 "activity.*acc(oun)?t",
108 "almost.full",
109 "app[li]e.[il]d",
110 "authenticate.*account",
111 "been.*suspend",
112 "clos.*of.*account.*processed",
113 "confirm.your.account",
114 "courier.*able",
115 "deactivation.*in.*progress",
116 "delivery.*attempt.*failed",
117 "document.received",
118 "documented.*shared.*with.*you",
119 "dropbox.*document",
120 "e-?ma[il1]+ .{010}suspen",
121 "e-?ma[il1]{1} user",
122 "e-?ma[il1]{2} acc",
123 "e-?ma[il1]{2}.*up.?grade",
124 "e.?ma[il1]{2}.*server",
125 "e.?ma[il1]{2}.*suspend",
126 "email.update",
127 "faxed you",
128 "fraud(ulent)?.*charge",
129 "from.helpdesk",
130 "fu[il1]{2}.*ma[il1]+[ -]?box",
131 "has.been.*suspended",
132 "has.been.limited",
133 "have.locked",
134 "he[li]p ?desk upgrade",
135 "heipdesk",
136 "i[il]iega[il]",
137 "ii[il]ega[il]",
138 "incoming e?mail",
139 "incoming.*fax",
140 "lock.*security",
141 "ma[il1]{1}[ -]?box.*quo",
142 "ma[il1]{2}[ -]?box.*fu[il1]",
143 "ma[il1]{2}box.*[il1]{2}mit",
144 "ma[il1]{2}box stor",
145 "mail on.?hold",
146 "mail.*box.*migration",
147 "mail.*de-?activat",
148 "mail.update.required",
149 "mails.*pending",
150 "messages.*pending",
151 "missed.*shipping.*notification",
152 "missed.shipment.notification",
153 "must.update.your.account",
154 "new [sl][io]g?[nig][ -]?in from",
155 "new voice ?-?mail",
156 "notifications.*pending",
157 "office.*3.*6.*5.*suspend",
158 "office365",
159 "on google docs with you",
160 "online doc",
161 "password.*compromised",
162 "periodic maintenance",
163 "potential(ly)? unauthorized",
164 "refund not approved",
165 "report",
166 "revised.*policy",
167 "scam",
168 "scanned.?invoice",
169 "secured?.update",
170 "security breach",
171 "securlty",
172 "signed.*delivery",
173 "status of your .{314}? ?delivery",
174 "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
175 "suspicious.*sign.*[io]n",
176 "suspicious.activit",
177 "temporar(il)?y deactivate",
178 "temporar[il1]{2}y disab[li]ed",
179 "temporarily.*lock",
180 "un-?usua[li].activity",
181 "unable.*deliver",
182 "unauthorized.*activit",
183 "unauthorized.device",
184 "undelivered message",
185 "unread.*doc",
186 "unusual.activity",
187 "upgrade.*account",
188 "upgrade.notice",
189 "urgent message",
190 "urgent.verification",
191 "v[il1]o[li1]at[il1]on security",
192 "va[il1]{1}date.*ma[il1]{2}[ -]?box",
193 "verification ?-?require",
194 "verification( )?-?need",
195 "verify.your?.account",
196 "web ?-?ma[il1]{2}",
197 "web[ -]?ma[il1]{2}",
198 "will.be.suspended",
199 "your (customer )?account .as",
200 "your.office.365",
201 "your.online.access",
202 )
203 )
204 )
205 // exclude bounce backs & read receipts
206 and not strings.ilike(sender.email.local_part,
207 "*postmaster*",
208 "*mailer-daemon*",
209 "*administrator*"
210 )
211 // exclude optonline deprecated mailbox returns
212 and (
213 not strings.starts_with(sender.display_name, "Auto-reply")
214 and sender.email.domain.root_domain == "optonline.net"
215 )
216 and not regex.icontains(subject.subject, "^(undeliverable|read:)")
217 and not any(attachments, .content_type == "message/delivery-status")
218 // if the "References" is in the body of the message, it's probably a bounce
219 and not any(headers.references, strings.contains(body.html.display_text, .))
220 and (
221 not profile.by_sender().solicited
222 or (
223 profile.by_sender().any_messages_malicious_or_spam
224 and not profile.by_sender().any_false_positives
225 )
226 )
227 and not profile.by_sender().any_false_positives
228
229attack_types:
230 - "Credential Phishing"
231tactics_and_techniques:
232 - "Evasion"
233 - "Free file host"
234 - "Free subdomain host"
235 - "Social engineering"
236detection_methods:
237 - "Computer Vision"
238 - "Content analysis"
239 - "File analysis"
240 - "Header analysis"
241 - "HTML analysis"
242 - "Natural Language Understanding"
243 - "Optical Character Recognition"
244 - "URL analysis"
245 - "URL screenshot"
246id: "1df41cca-369a-5bff-83cc-0f9ddf1ff007"