Attachment: EML with link to credential phishing page
Attached EML links to a credential phishing site.
Sublime rule (View on GitHub)
1name: "Attachment: EML with link to credential phishing page"
2description: |
3 Attached EML links to a credential phishing site.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and length(attachments) == 1
9 and any(attachments,
10 .content_type == "message/rfc822"
11 and any(file.explode(.),
12 any(.scan.url.urls,
13 (
14 .domain.root_domain in $free_subdomain_hosts
15 or .domain.root_domain in ("sharepoint.com")
16 or .domain.root_domain not in $tranco_1m
17 )
18 and beta.linkanalysis(.).credphish.disposition == "phishing"
19 )
20 )
21 )
22
23 // engaging language in the original body
24 and any(ml.nlu_classifier(body.html.display_text).entities, .name == "request")
25
26 // exclude bounce backs & read receipts
27 and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
28 and not regex.icontains(subject.subject, "^(undeliverable|read:)")
29 and not any(attachments, .content_type == "message/delivery-status")
30 // if the "References" is in the body of the message, it's probably a bounce
31 and not any(headers.references, strings.contains(body.html.display_text, .))
32
33 // unsolicited
34 and (
35 (
36 sender.email.domain.root_domain in $free_email_providers
37 and sender.email.email not in $recipient_emails
38 )
39 or (
40 sender.email.domain.root_domain not in $free_email_providers
41 and sender.email.domain.domain not in $recipient_domains
42 )
43 )
44attack_types:
45 - "Credential Phishing"
46tactics_and_techniques:
47 - "Evasion"
48 - "Free file host"
49 - "Free subdomain host"
50 - "Social engineering"
51detection_methods:
52 - "Computer Vision"
53 - "Content analysis"
54 - "File analysis"
55 - "Header analysis"
56 - "HTML analysis"
57 - "Natural Language Understanding"
58 - "Optical Character Recognition"
59 - "URL analysis"
60 - "URL screenshot"
61id: "1df41cca-369a-5bff-83cc-0f9ddf1ff007"