Attachment: EML with link to credential phishing page

Attached EML links to a credential phishing site.

Sublime rule (View on GitHub)

 1name: "Attachment: EML with link to credential phishing page"
 2description: |
 3    Attached EML links to a credential phishing site.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and length(attachments) == 1
 9  and any(attachments,
10          .content_type == "message/rfc822"
11          and any(file.explode(.),
12                  any(.scan.url.urls,
13                      (
14                        .domain.root_domain in $free_subdomain_hosts
15                        or .domain.root_domain in ("sharepoint.com")
16                        or .domain.root_domain not in $tranco_1m
17                      )
18                      and beta.linkanalysis(.).credphish.disposition == "phishing"
19                  )
20          )
21  )
22
23  // engaging language in the original body
24  and any(ml.nlu_classifier(body.html.display_text).entities, .name == "request")
25
26  // exclude bounce backs & read receipts
27  and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
28  and not regex.icontains(subject.subject, "^(undeliverable|read:)")
29  and not any(attachments, .content_type == "message/delivery-status")
30  // if the "References" is in the body of the message, it's probably a bounce
31  and not any(headers.references, strings.contains(body.html.display_text, .))
32
33  // unsolicited
34  and (
35    (
36      sender.email.domain.root_domain in $free_email_providers
37      and sender.email.email not in $recipient_emails
38    )
39    or (
40      sender.email.domain.root_domain not in $free_email_providers
41      and sender.email.domain.domain not in $recipient_domains
42    )
43  )  
44attack_types:
45  - "Credential Phishing"
46tactics_and_techniques:
47  - "Evasion"
48  - "Free file host"
49  - "Free subdomain host"
50  - "Social engineering"
51detection_methods:
52  - "Computer Vision"
53  - "Content analysis"
54  - "File analysis"
55  - "Header analysis"
56  - "HTML analysis"
57  - "Natural Language Understanding"
58  - "Optical Character Recognition"
59  - "URL analysis"
60  - "URL screenshot"
61id: "1df41cca-369a-5bff-83cc-0f9ddf1ff007"
to-top