EML attachment with credential theft language (unknown sender)
Identifies EML attachments that use credential theft language from unknown senders.
Sublime rule (View on GitHub)
1name: "EML attachment with credential theft language (unknown sender)"
2description: "Identifies EML attachments that use credential theft language from unknown senders."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 // we don't look for links because it could be a QR code
8 and any(attachments,
9 (.content_type == "message/rfc822" or .file_extension =~ "eml")
10 // credential theft language in the attached EML
11 and any(ml.nlu_classifier(file.parse_eml(.).body.current_thread.text).intents,
12 .name == "cred_theft" and .confidence == "high"
13 )
14 )
15 // exclude bounce backs & read receipts
16 and not strings.like(sender.email.local_part,
17 "*postmaster*",
18 "*mailer-daemon*",
19 "*administrator*"
20 )
21 and not regex.icontains(subject.subject, "^(undeliverable|read:)")
22 and not any(attachments, .content_type == "message/delivery-status")
23 // if the "References" is in the body of the message, it's probably a bounce
24 and not any(headers.references, strings.contains(body.html.display_text, .))
25 and (
26 not profile.by_sender().solicited
27 or (
28 profile.by_sender().any_messages_malicious_or_spam
29 and not profile.by_sender().any_false_positives
30 )
31 )
32 and not profile.by_sender().any_false_positives
33attack_types:
34 - "Credential Phishing"
35tactics_and_techniques:
36 - "Evasion"
37 - "Social engineering"
38detection_methods:
39 - "Natural Language Understanding"
40 - "Sender analysis"
41 - "Content analysis"
42 - "Header analysis"
43id: "00e06af1-d67e-513c-b53e-b9548db8c65e"