EML attachment with credential theft language (unknown sender)

Identifies EML attachments that use credential theft language from unknown senders.

Sublime rule (View on GitHub)

 1name: "EML attachment with credential theft language (unknown sender)"
 2description: "Identifies EML attachments that use credential theft language from unknown senders."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(attachments) == 1
 8  // we don't look for links because it could be a QR code
 9  and any(attachments,
10          (.content_type == "message/rfc822" or .file_extension =~ "eml")
11          // credential theft language in the attached EML
12          and any(ml.nlu_classifier(file.parse_eml(.).body.html.display_text).intents,
13                  .name == "cred_theft" and .confidence == "high"
14          )
15  )
16  // exclude bounce backs & read receipts
17  and not strings.like(sender.email.local_part,
18                       "*postmaster*",
19                       "*mailer-daemon*",
20                       "*administrator*"
21  )
22  and not regex.icontains(subject.subject, "^(undeliverable|read:)")
23  and not any(attachments, .content_type == "message/delivery-status")
24  // if the "References" is in the body of the message, it's probably a bounce
25  and not any(headers.references, strings.contains(body.html.display_text, .))
26  and (
27    not profile.by_sender().solicited
28    or (
29      profile.by_sender().any_messages_malicious_or_spam
30      and not profile.by_sender().any_false_positives
31    )
32  )
33  and not profile.by_sender().any_false_positives  
34attack_types:
35  - "Credential Phishing"
36tactics_and_techniques:
37  - "Evasion"
38  - "Social engineering"
39detection_methods:
40  - "Natural Language Understanding"
41  - "Sender analysis"
42  - "Content analysis"
43  - "Header analysis"
44id: "00e06af1-d67e-513c-b53e-b9548db8c65e"
to-top