EML attachment with credential theft language (unknown sender)
Identifies EML attachments that use credential theft language from unknown senders.
Sublime rule (View on GitHub)
1name: "EML attachment with credential theft language (unknown sender)"
2description: "Identifies EML attachments that use credential theft language from unknown senders."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 // we don't look for links because it could be a QR code
8 and any(attachments,
9 (.content_type == "message/rfc822" or .file_extension =~ "eml")
10 and (
11 // credential theft language in the attached EML
12 any(ml.nlu_classifier(file.parse_eml(.).body.current_thread.text).intents,
13 .name == "cred_theft" and .confidence == "high"
14 )
15 // credential theft language in an attachment in the attached EML
16 or any(file.parse_eml(.).attachments,
17 any(ml.nlu_classifier(beta.ocr(.).text).intents,
18 .name == "cred_theft" and .confidence == "high"
19 )
20 )
21 )
22 and not strings.like(file.parse_eml(.).sender.email.local_part,
23 "*postmaster*",
24 "*mailer-daemon*",
25 "*administrator*"
26 )
27 // some systems attach the bounceback this way
28 and not any(file.parse_eml(.).attachments,
29 .content_type in (
30 "message/delivery-status",
31 "message/feedback-report"
32 )
33 )
34 // negate Microsoft Dynamic Delivery
35 and not (
36 length(file.parse_eml(.).attachments) == 0
37 and strings.icontains(file.parse_eml(.).body.current_thread.text,
38 "Your attachments are currently being scanned by Safe Attachments"
39 )
40 )
41 // Mimecast Protection attached EMLs when replacing attachments
42 and not (
43 (
44 strings.iends_with(.file_name, 'was removed from this message')
45 or .file_name == "We found suspicious links"
46 or .file_name == 'We sent you safe versions of your files'
47 )
48 and length(file.parse_eml(.).headers.hops) == 1
49 and any(file.parse_eml(.).headers.hops[0].fields,
50 .name == "X-MC-System"
51 )
52 and any(file.parse_eml(.).headers.hops[0].fields,
53 .name == "Content-Type"
54 and strings.contains(.value, '; boundary="MCBoundary=_')
55 )
56 )
57 )
58 // exclude bounce backs & read receipts
59 and not strings.like(sender.email.local_part,
60 "*postmaster*",
61 "*mailer-daemon*",
62 "*administrator*"
63 )
64 and not regex.icontains(subject.subject, "^(undelivered|undeliverable|read:)")
65 and not any(attachments,
66 .content_type in (
67 "message/delivery-status",
68 "message/feedback-report"
69 )
70 )
71 // if the "References" is in the body of the message, it's probably a bounce
72 and not any(headers.references, strings.contains(body.html.display_text, .))
73 and (
74 not profile.by_sender_email().solicited
75 or (
76 profile.by_sender_email().any_messages_malicious_or_spam
77 and not profile.by_sender_email().any_messages_benign
78 )
79 // sender address listed as a recipient
80 or (
81 length(recipients.to) == 1
82 and sender.email.email in map(recipients.to, .email.email)
83 )
84 )
85 and not profile.by_sender_email().any_messages_benign
86 // negate instances where proofpoint sends a review of a reported message via analyzer
87 and not (
88 sender.email.email == "analyzer@analyzer.securityeducation.com"
89 and any(headers.domains, .root_domain == "pphosted.com")
90 and headers.auth_summary.spf.pass
91 and headers.auth_summary.dmarc.pass
92 )
93attack_types:
94 - "Credential Phishing"
95tactics_and_techniques:
96 - "Evasion"
97 - "Social engineering"
98detection_methods:
99 - "Natural Language Understanding"
100 - "Sender analysis"
101 - "Content analysis"
102 - "Header analysis"
103id: "00e06af1-d67e-513c-b53e-b9548db8c65e"