EML attachment with credential theft language (unknown sender)

 1name: "EML attachment with credential theft language (unknown sender)"
 2description: "Identifies EML attachments that use credential theft language from unknown senders."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // we don't look for links because it could be a QR code
 8  and any(attachments,
 9          (.content_type == "message/rfc822" or .file_extension =~ "eml")
10          // credential theft language in the attached EML
11          and any(ml.nlu_classifier(file.parse_eml(.).body.current_thread.text).intents,
12                  .name == "cred_theft" and .confidence == "high"
13          )
14  )
15  // exclude bounce backs & read receipts
16  and not strings.like(sender.email.local_part,
17                       "*postmaster*",
18                       "*mailer-daemon*",
19                       "*administrator*"
20  )
21  and not regex.icontains(subject.subject, "^(undeliverable|read:)")
22  and not any(attachments, .content_type == "message/delivery-status")
23  // if the "References" is in the body of the message, it's probably a bounce
24  and not any(headers.references, strings.contains(body.html.display_text, .))
25  and (
26    not profile.by_sender().solicited
27    or (
28      profile.by_sender().any_messages_malicious_or_spam
29      and not profile.by_sender().any_false_positives
30    )
31  )
32  and not profile.by_sender().any_false_positives  
33attack_types:
34  - "Credential Phishing"
35tactics_and_techniques:
36  - "Evasion"
37  - "Social engineering"
38detection_methods:
39  - "Natural Language Understanding"
40  - "Sender analysis"
41  - "Content analysis"
42  - "Header analysis"
43id: "00e06af1-d67e-513c-b53e-b9548db8c65e"