EML attachment with credential theft language (unknown sender)

calendar Nov 13, 2024  ยท
Share on: linkedin copy

Identifies EML attachments that use credential theft language from unknown senders.

Sublime rule (View on GitHub)

 1name: "EML attachment with credential theft language (unknown sender)"
 2description: "Identifies EML attachments that use credential theft language from unknown senders."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // we don't look for links because it could be a QR code
 8  and any(attachments,
 9          (.content_type == "message/rfc822" or .file_extension =~ "eml")
10          // credential theft language in the attached EML
11          and any(ml.nlu_classifier(file.parse_eml(.).body.current_thread.text).intents,
12                  .name == "cred_theft" and .confidence == "high"
13          )
14          and not strings.like(file.parse_eml(.).sender.email.local_part,
15                               "*postmaster*",
16                               "*mailer-daemon*",
17                               "*administrator*"
18          )
19          // negate Mimecast Attachment Protection
20          and not (
21            any(attachments,
22                .file_name == 'We sent you safe versions of your files'
23            )
24            and strings.contains(body.current_thread.text,
25                                 'Mimecast Attachment Protection has deemed this file to be safe, but always exercise caution when opening files.'
26            )
27          )
28          // negate Microsoft Dynamic Delivery
29          and not (
30            length(file.parse_eml(.).attachments) == 0
31            and strings.icontains(file.parse_eml(.).body.current_thread.text,
32                                         "Your attachments are currently being scanned by Safe Attachments"
33            )
34          )
35  )
36  // exclude bounce backs & read receipts
37  and not strings.like(sender.email.local_part,
38                       "*postmaster*",
39                       "*mailer-daemon*",
40                       "*administrator*"
41  )
42  and not regex.icontains(subject.subject, "^(undelivered|undeliverable|read:)")
43  and not any(attachments, .content_type in ("message/delivery-status", "message/feedback-report"))
44  // if the "References" is in the body of the message, it's probably a bounce
45  and not any(headers.references, strings.contains(body.html.display_text, .))
46  and (
47    not profile.by_sender().solicited
48    or (
49      profile.by_sender().any_messages_malicious_or_spam
50      and not profile.by_sender().any_false_positives
51    )
52  )
53  and not profile.by_sender().any_false_positives  
54attack_types:
55  - "Credential Phishing"
56tactics_and_techniques:
57  - "Evasion"
58  - "Social engineering"
59detection_methods:
60  - "Natural Language Understanding"
61  - "Sender analysis"
62  - "Content analysis"
63  - "Header analysis"
64id: "00e06af1-d67e-513c-b53e-b9548db8c65e"
to-top