Attachment: EML with link to credential phishing page
Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects.
Sublime rule (View on GitHub)
1name: "Attachment: EML with link to credential phishing page"
2description: |
3 Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and length(attachments) == 1
9 and any(attachments,
10 (.content_type == "message/rfc822" or .file_extension =~ "eml")
11
12 // identifies suspicious URLs in the attached EML
13 and any(file.parse_eml(.).body.links,
14 (
15 beta.linkanalysis(., mode="aggressive").credphish.disposition == "phishing"
16 and beta.linkanalysis(., mode="aggressive").credphish.confidence in (
17 "medium",
18 "high"
19 )
20 )
21
22 // or any links in the final dom lead to a suspicious tld
23 or any(beta.linkanalysis(.).final_dom.links,
24 .href_url.domain.tld in $suspicious_tlds
25 or beta.linkanalysis(.href_url).effective_url.domain.tld in $suspicious_tlds
26 )
27
28 // link redirects to a suspicious TLD
29 or any(beta.linkanalysis(., mode="aggressive").redirect_history,
30 .domain.tld in $suspicious_tlds
31 )
32 or (
33 // suspicious redirects
34 // 3 or more different domains with 2 or more different TLDs
35 // careful because click trackers will always make this at least 2
36 // different domains and not unlikely 2 or more TLDs
37 length(distinct(map(beta.linkanalysis(., mode="aggressive").redirect_history,
38 .domain.tld
39 )
40 )
41 ) >= 2
42 and length(distinct(map(beta.linkanalysis(.,
43 mode="aggressive"
44 ).redirect_history,
45 .domain.domain
46 )
47 )
48 ) >= 3
49 )
50 )
51
52 // identifies other suspicious indicators
53 and (
54 // engaging language in the original body
55 any(ml.nlu_classifier(body.html.display_text).entities,
56 .name == "request"
57 )
58
59 // // engaging language in the attached EML
60 or any(ml.nlu_classifier(file.parse_eml(.).body.html.display_text).entities,
61 .name == "request"
62 )
63 // recipient SLD impersonated in the subject or display name
64 or any(recipients.to,
65 // ensure that we're checking the org SLD
66 .email.domain.sld in $org_slds
67 and (
68 strings.icontains(subject.subject, .email.domain.sld)
69 or strings.icontains(sender.display_name, .email.domain.sld)
70 )
71 )
72 // mismatched sender (From) and Reply-to + freemail
73 or any(headers.reply_to,
74 length(headers.reply_to) > 0
75 and all(headers.reply_to,
76 .email.domain.root_domain != sender.email.domain.root_domain
77 and .email.domain.root_domain in $free_email_providers
78 )
79 )
80 or any($suspicious_subjects, strings.icontains(subject.subject, .))
81 or regex.icontains(subject.subject,
82 "termination.*notice",
83 "38417",
84 ":completed",
85 "[il1]{2}mit.*ma[il1]{2} ?bo?x",
86 "[il][il][il]egai[ -]",
87 "[li][li][li]ega[li] attempt",
88 "[ng]-?[io]n .*block",
89 "[ng]-?[io]n .*cancel",
90 "[ng]-?[io]n .*deactiv",
91 "[ng]-?[io]n .*disabl",
92 "action.*required",
93 "abandon.*package",
94 "about.your.account",
95 "acc(ou)?n?t (is )?on ho[li]d",
96 "acc(ou)?n?t.*terminat",
97 "acc(oun)?t.*[il1]{2}mitation",
98 "access.*limitation",
99 "account (will be )?block",
100 "account.*de-?activat",
101 "account.*locked",
102 "account.*re-verification",
103 "account.*security",
104 "account.*suspension",
105 "account.has.been",
106 "account.has.expired",
107 "account.will.be.blocked",
108 "account v[il]o[li]at",
109 "activity.*acc(oun)?t",
110 "almost.full",
111 "app[li]e.[il]d",
112 "authenticate.*account",
113 "been.*suspend",
114 "clos.*of.*account.*processed",
115 "confirm.your.account",
116 "courier.*able",
117 "deactivation.*in.*progress",
118 "delivery.*attempt.*failed",
119 "document.received",
120 "documented.*shared.*with.*you",
121 "dropbox.*document",
122 "e-?ma[il1]+ .{010}suspen",
123 "e-?ma[il1]{1} user",
124 "e-?ma[il1]{2} acc",
125 "e-?ma[il1]{2}.*up.?grade",
126 "e.?ma[il1]{2}.*server",
127 "e.?ma[il1]{2}.*suspend",
128 "email.update",
129 "faxed you",
130 "fraud(ulent)?.*charge",
131 "from.helpdesk",
132 "fu[il1]{2}.*ma[il1]+[ -]?box",
133 "has.been.*suspended",
134 "has.been.limited",
135 "have.locked",
136 "he[li]p ?desk upgrade",
137 "heipdesk",
138 "i[il]iega[il]",
139 "ii[il]ega[il]",
140 "incoming e?mail",
141 "incoming.*fax",
142 "lock.*security",
143 "ma[il1]{1}[ -]?box.*quo",
144 "ma[il1]{2}[ -]?box.*fu[il1]",
145 "ma[il1]{2}box.*[il1]{2}mit",
146 "ma[il1]{2}box stor",
147 "mail on.?hold",
148 "mail.*box.*migration",
149 "mail.*de-?activat",
150 "mail.update.required",
151 "mails.*pending",
152 "messages.*pending",
153 "missed.*shipping.*notification",
154 "missed.shipment.notification",
155 "must.update.your.account",
156 "new [sl][io]g?[nig][ -]?in from",
157 "new voice ?-?mail",
158 "notifications.*pending",
159 "office.*3.*6.*5.*suspend",
160 "office365",
161 "on google docs with you",
162 "online doc",
163 "password.*compromised",
164 "periodic maintenance",
165 "potential(ly)? unauthorized",
166 "refund not approved",
167 "report",
168 "revised.*policy",
169 "scam",
170 "scanned.?invoice",
171 "secured?.update",
172 "security breach",
173 "securlty",
174 "signed.*delivery",
175 "status of your .{314}? ?delivery",
176 "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
177 "suspicious.*sign.*[io]n",
178 "suspicious.activit",
179 "temporar(il)?y deactivate",
180 "temporar[il1]{2}y disab[li]ed",
181 "temporarily.*lock",
182 "un-?usua[li].activity",
183 "unable.*deliver",
184 "unauthorized.*activit",
185 "unauthorized.device",
186 "undelivered message",
187 "unread.*doc",
188 "unusual.activity",
189 "upgrade.*account",
190 "upgrade.notice",
191 "urgent message",
192 "urgent.verification",
193 "v[il1]o[li1]at[il1]on security",
194 "va[il1]{1}date.*ma[il1]{2}[ -]?box",
195 "verification ?-?require",
196 "verification( )?-?need",
197 "verify.your?.account",
198 "web ?-?ma[il1]{2}",
199 "web[ -]?ma[il1]{2}",
200 "will.be.suspended",
201 "your (customer )?account .as",
202 "your.office.365",
203 "your.online.access",
204 )
205 )
206 )
207 // exclude bounce backs & read receipts
208 and not strings.like(sender.email.local_part,
209 "*postmaster*",
210 "*mailer-daemon*",
211 "*administrator*"
212 )
213 and not regex.icontains(subject.subject, "^(undeliverable|read:)")
214 and not any(attachments, .content_type == "message/delivery-status")
215 // if the "References" is in the body of the message, it's probably a bounce
216 and not any(headers.references, strings.contains(body.html.display_text, .))
217 and (
218 not profile.by_sender().solicited
219 or (
220 profile.by_sender().any_messages_malicious_or_spam
221 and not profile.by_sender().any_false_positives
222 )
223 )
224 and not profile.by_sender().any_false_positives
225
226attack_types:
227 - "Credential Phishing"
228tactics_and_techniques:
229 - "Evasion"
230 - "Free file host"
231 - "Free subdomain host"
232 - "Social engineering"
233detection_methods:
234 - "Computer Vision"
235 - "Content analysis"
236 - "File analysis"
237 - "Header analysis"
238 - "HTML analysis"
239 - "Natural Language Understanding"
240 - "Optical Character Recognition"
241 - "URL analysis"
242 - "URL screenshot"
243id: "1df41cca-369a-5bff-83cc-0f9ddf1ff007"