Attachment: EML with link to credential phishing page

Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects.

Sublime rule (View on GitHub)

  1name: "Attachment: EML with link to credential phishing page"
  2description: |
  3    Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects.
  4type: "rule"
  5severity: "high"
  6source: |
  7  type.inbound
  8  and length(attachments) == 1
  9  and any(attachments,
 10          (.content_type == "message/rfc822" or .file_extension =~ "eml")
 11
 12          // identifies suspicious URLs in the attached EML
 13          and any(file.parse_eml(.).body.links,
 14                  (
 15                    beta.linkanalysis(., mode="aggressive").credphish.disposition == "phishing"
 16                    and beta.linkanalysis(., mode="aggressive").credphish.confidence in (
 17                      "medium",
 18                      "high"
 19                    )
 20                  )
 21
 22                  // or any links in the final dom lead to a suspicious tld
 23                  or any(beta.linkanalysis(.).final_dom.links,
 24                         .href_url.domain.tld in $suspicious_tlds
 25                         or beta.linkanalysis(.href_url).effective_url.domain.tld in $suspicious_tlds
 26                  )
 27
 28                  // link redirects to a suspicious TLD
 29                  or any(beta.linkanalysis(., mode="aggressive").redirect_history,
 30                         .domain.tld in $suspicious_tlds
 31                  )
 32                  or (
 33                    // suspicious redirects
 34                    // 3 or more different domains with 2 or more different TLDs
 35                    // careful because click trackers will always make this at least 2
 36                    // different domains and not unlikely 2 or more TLDs
 37                    length(distinct(map(beta.linkanalysis(., mode="aggressive").redirect_history,
 38                                        .domain.tld
 39                                    )
 40                           )
 41                    ) >= 2
 42                    and length(distinct(map(beta.linkanalysis(.,
 43                                                              mode="aggressive"
 44                                            ).redirect_history,
 45                                            .domain.domain
 46                                        )
 47                               )
 48                    ) >= 3
 49                  )
 50          )
 51
 52          // identifies other suspicious indicators
 53          and (
 54            // engaging language in the original body
 55            any(ml.nlu_classifier(body.html.display_text).entities,
 56                .name == "request"
 57            )
 58
 59            // // engaging language in the attached EML
 60            or any(ml.nlu_classifier(file.parse_eml(.).body.html.display_text).entities,
 61                   .name == "request"
 62            )
 63            // recipient SLD impersonated in the subject or display name
 64            or any(recipients.to,
 65                   // ensure that we're checking the org SLD
 66                   .email.domain.sld in $org_slds
 67                   and (
 68                     strings.icontains(subject.subject, .email.domain.sld)
 69                     or strings.icontains(sender.display_name, .email.domain.sld)
 70                   )
 71            )
 72            // mismatched sender (From) and Reply-to + freemail
 73            or any(headers.reply_to,
 74                   length(headers.reply_to) > 0
 75                   and all(headers.reply_to,
 76                           .email.domain.root_domain != sender.email.domain.root_domain
 77                           and .email.domain.root_domain in $free_email_providers
 78                   )
 79            )
 80            or any($suspicious_subjects, strings.icontains(subject.subject, .))
 81            or regex.icontains(subject.subject,
 82                               "termination.*notice",
 83                               "38417",
 84                               ":completed",
 85                               "[il1]{2}mit.*ma[il1]{2} ?bo?x",
 86                               "[il][il][il]egai[ -]",
 87                               "[li][li][li]ega[li] attempt",
 88                               "[ng]-?[io]n .*block",
 89                               "[ng]-?[io]n .*cancel",
 90                               "[ng]-?[io]n .*deactiv",
 91                               "[ng]-?[io]n .*disabl",
 92                               "action.*required",
 93                               "abandon.*package",
 94                               "about.your.account",
 95                               "acc(ou)?n?t (is )?on ho[li]d",
 96                               "acc(ou)?n?t.*terminat",
 97                               "acc(oun)?t.*[il1]{2}mitation",
 98                               "access.*limitation",
 99                               "account (will be )?block",
100                               "account.*de-?activat",
101                               "account.*locked",
102                               "account.*re-verification",
103                               "account.*security",
104                               "account.*suspension",
105                               "account.has.been",
106                               "account.has.expired",
107                               "account.will.be.blocked",
108                               "account v[il]o[li]at",
109                               "activity.*acc(oun)?t",
110                               "almost.full",
111                               "app[li]e.[il]d",
112                               "authenticate.*account",
113                               "been.*suspend",
114                               "clos.*of.*account.*processed",
115                               "confirm.your.account",
116                               "courier.*able",
117                               "deactivation.*in.*progress",
118                               "delivery.*attempt.*failed",
119                               "document.received",
120                               "documented.*shared.*with.*you",
121                               "dropbox.*document",
122                               "e-?ma[il1]+ .{010}suspen",
123                               "e-?ma[il1]{1} user",
124                               "e-?ma[il1]{2} acc",
125                               "e-?ma[il1]{2}.*up.?grade",
126                               "e.?ma[il1]{2}.*server",
127                               "e.?ma[il1]{2}.*suspend",
128                               "email.update",
129                               "faxed you",
130                               "fraud(ulent)?.*charge",
131                               "from.helpdesk",
132                               "fu[il1]{2}.*ma[il1]+[ -]?box",
133                               "has.been.*suspended",
134                               "has.been.limited",
135                               "have.locked",
136                               "he[li]p ?desk upgrade",
137                               "heipdesk",
138                               "i[il]iega[il]",
139                               "ii[il]ega[il]",
140                               "incoming e?mail",
141                               "incoming.*fax",
142                               "lock.*security",
143                               "ma[il1]{1}[ -]?box.*quo",
144                               "ma[il1]{2}[ -]?box.*fu[il1]",
145                               "ma[il1]{2}box.*[il1]{2}mit",
146                               "ma[il1]{2}box stor",
147                               "mail on.?hold",
148                               "mail.*box.*migration",
149                               "mail.*de-?activat",
150                               "mail.update.required",
151                               "mails.*pending",
152                               "messages.*pending",
153                               "missed.*shipping.*notification",
154                               "missed.shipment.notification",
155                               "must.update.your.account",
156                               "new [sl][io]g?[nig][ -]?in from",
157                               "new voice ?-?mail",
158                               "notifications.*pending",
159                               "office.*3.*6.*5.*suspend",
160                               "office365",
161                               "on google docs with you",
162                               "online doc",
163                               "password.*compromised",
164                               "periodic maintenance",
165                               "potential(ly)? unauthorized",
166                               "refund not approved",
167                               "report",
168                               "revised.*policy",
169                               "scam",
170                               "scanned.?invoice",
171                               "secured?.update",
172                               "security breach",
173                               "securlty",
174                               "signed.*delivery",
175                               "status of your .{314}? ?delivery",
176                               "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
177                               "suspicious.*sign.*[io]n",
178                               "suspicious.activit",
179                               "temporar(il)?y deactivate",
180                               "temporar[il1]{2}y disab[li]ed",
181                               "temporarily.*lock",
182                               "un-?usua[li].activity",
183                               "unable.*deliver",
184                               "unauthorized.*activit",
185                               "unauthorized.device",
186                               "undelivered message",
187                               "unread.*doc",
188                               "unusual.activity",
189                               "upgrade.*account",
190                               "upgrade.notice",
191                               "urgent message",
192                               "urgent.verification",
193                               "v[il1]o[li1]at[il1]on security",
194                               "va[il1]{1}date.*ma[il1]{2}[ -]?box",
195                               "verification ?-?require",
196                               "verification( )?-?need",
197                               "verify.your?.account",
198                               "web ?-?ma[il1]{2}",
199                               "web[ -]?ma[il1]{2}",
200                               "will.be.suspended",
201                               "your (customer )?account .as",
202                               "your.office.365",
203                               "your.online.access",
204            )
205          )
206  )
207  // exclude bounce backs & read receipts
208  and not strings.like(sender.email.local_part,
209                       "*postmaster*",
210                       "*mailer-daemon*",
211                       "*administrator*"
212  )
213  and not regex.icontains(subject.subject, "^(undeliverable|read:)")
214  and not any(attachments, .content_type == "message/delivery-status")
215  // if the "References" is in the body of the message, it's probably a bounce
216  and not any(headers.references, strings.contains(body.html.display_text, .))
217  and (
218    not profile.by_sender().solicited
219    or (
220      profile.by_sender().any_messages_malicious_or_spam
221      and not profile.by_sender().any_false_positives
222    )
223  )
224  and not profile.by_sender().any_false_positives  
225
226attack_types:
227  - "Credential Phishing"
228tactics_and_techniques:
229  - "Evasion"
230  - "Free file host"
231  - "Free subdomain host"
232  - "Social engineering"
233detection_methods:
234  - "Computer Vision"
235  - "Content analysis"
236  - "File analysis"
237  - "Header analysis"
238  - "HTML analysis"
239  - "Natural Language Understanding"
240  - "Optical Character Recognition"
241  - "URL analysis"
242  - "URL screenshot"
243id: "1df41cca-369a-5bff-83cc-0f9ddf1ff007"
to-top