EML attachment with credential theft language (unknown sender)

calendar Jun 12, 2025  ยท
Share on: linkedin copy

Identifies EML attachments that use credential theft language from unknown senders.

Sublime rule (View on GitHub)

 1name: "EML attachment with credential theft language (unknown sender)"
 2description: "Identifies EML attachments that use credential theft language from unknown senders."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // we don't look for links because it could be a QR code
 8  and any(attachments,
 9          (.content_type == "message/rfc822" or .file_extension =~ "eml")
10          and (
11            // credential theft language in the attached EML
12            any(ml.nlu_classifier(file.parse_eml(.).body.current_thread.text).intents,
13                .name == "cred_theft" and .confidence == "high"
14            )
15            // credential theft language in an attachment in the attached EML
16            or any(file.parse_eml(.).attachments,
17                   any(ml.nlu_classifier(beta.ocr(.).text).intents,
18                       .name == "cred_theft" and .confidence == "high"
19                   )
20            )
21          )
22          and not file.parse_eml(.).sender.email.domain.root_domain in $org_domains
23          and not strings.like(file.parse_eml(.).sender.email.local_part,
24                               "*postmaster*",
25                               "*mailer-daemon*",
26                               "*administrator*"
27          )
28          // some systems attach the bounceback this way
29          and not any(file.parse_eml(.).attachments,
30                      .content_type in (
31                        "message/delivery-status",
32                        "message/feedback-report"
33                      )
34          )
35          // negate Mimecast Attachment Protection
36          and not (
37            any(attachments,
38                .file_name == 'We sent you safe versions of your files'
39            )
40            and strings.contains(body.current_thread.text,
41                                 'Mimecast Attachment Protection has deemed this file to be safe, but always exercise caution when opening files.'
42            )
43          )
44          // negate Microsoft Dynamic Delivery
45          and not (
46            length(file.parse_eml(.).attachments) == 0
47            and strings.icontains(file.parse_eml(.).body.current_thread.text,
48                                  "Your attachments are currently being scanned by Safe Attachments"
49            )
50          )
51  )
52  // exclude bounce backs & read receipts
53  and not strings.like(sender.email.local_part,
54                       "*postmaster*",
55                       "*mailer-daemon*",
56                       "*administrator*"
57  )
58  and not regex.icontains(subject.subject, "^(undelivered|undeliverable|read:)")
59  and not any(attachments,
60              .content_type in (
61                "message/delivery-status",
62                "message/feedback-report"
63              )
64  )
65  // if the "References" is in the body of the message, it's probably a bounce
66  and not any(headers.references, strings.contains(body.html.display_text, .))
67  and (
68    not profile.by_sender_email().solicited
69    or (
70      profile.by_sender_email().any_messages_malicious_or_spam
71      and not profile.by_sender_email().any_messages_benign
72    )
73  )
74  and not profile.by_sender_email().any_messages_benign  
75attack_types:
76  - "Credential Phishing"
77tactics_and_techniques:
78  - "Evasion"
79  - "Social engineering"
80detection_methods:
81  - "Natural Language Understanding"
82  - "Sender analysis"
83  - "Content analysis"
84  - "Header analysis"
85id: "00e06af1-d67e-513c-b53e-b9548db8c65e"
to-top