Extortion / Sextortion in Attachment From Untrusted Sender
Detects extortion and sextortion attempts by analyzing attachment text from an untrusted sender.
Sublime rule (View on GitHub)
1name: "Extortion / Sextortion in Attachment From Untrusted Sender"
2description: "Detects extortion and sextortion attempts by analyzing attachment text from an untrusted sender."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 and length(attachments) < 2
8 and (
9 length(body.current_thread.text) < 500
10 or (
11 length(ml.nlu_classifier(body.current_thread.text).intents) > 0
12 and any(ml.nlu_classifier(body.current_thread.text).intents,
13 .name != "benign"
14 )
15 )
16 )
17 and any(attachments,
18 (.file_type in $file_types_images or .file_type == "pdf")
19 and any(filter(file.explode(.), .scan.ocr.raw is not null),
20 (
21 any(ml.nlu_classifier(.scan.ocr.raw).intents,
22 .name == "extortion" and .confidence == "high"
23 )
24 and any(ml.nlu_classifier(.scan.ocr.raw).entities,
25 .name == "financial"
26 )
27 )
28 or 3 of (
29 // malware terms
30 regex.icontains(.scan.ocr.raw, "((spy|mal)ware|trojan|remote control)"),
31 // actions recorded
32 regex.icontains(.scan.ocr.raw,
33 "porn|adult (web)?site|webcam|masturbating|jerking off|pleasuring yourself|getting off"
34 ),
35 regex.icontains(.scan.ocr.raw,
36 "pervert|perversion|masturbat"
37 ),
38 // a timeframe to pay
39 regex.icontains(.scan.ocr.raw, '\d\d hours', '(?:one|two|three) days?'),
40 // a promise from the actor
41 regex.icontains(.scan.ocr.raw,
42 'permanently delete|destroy (?:\w+\s*){0,4} (?:data|evidence|videos?)'
43 ),
44 // a threat from the actor
45 regex.icontains(.scan.ocr.raw,
46 'sen[dt]\s*(?:\w+\s*){0,2}\s*to\s*(?:\w+\s*){0,3}\s*your contacts'),
47 // bitcoin
48 (
49 regex.icontains(.scan.ocr.raw,
50 'bitcoin|\bbtc\b|blockchain'
51 )
52 // negate cryptocurrency newsletters
53 and not (
54 any(body.links,
55 strings.icontains(.display_text, "unsubscribe")
56 and (
57 strings.icontains(.href_url.path, "unsubscribe")
58 // handle mimecast URL rewrites
59 or (
60 .href_url.domain.root_domain == 'mimecastprotect.com'
61 and strings.icontains(.href_url.query_params,
62 sender.email.domain.root_domain
63 )
64 )
65 )
66 )
67 )
68 ),
69 // bitcoin wallet address + threat
70 (
71 strings.icontains(.scan.ocr.raw,
72 "contact the police"
73 )
74 and regex.icontains(.scan.ocr.raw,
75 '(\b[13][a-km-zA-HJ-NP-Z0-9]{24,33}\b)|\bX[1-9A-HJ-NP-Za-km-z]{33}\b|\b(0x[a-fA-F0-9]{40})\b|\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b|\b[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b'
76 )
77 ),
78 regex.icontains(.scan.ocr.raw, 'bc1q.{0,50}\b')
79 )
80 )
81 )
82 and (
83 not profile.by_sender().solicited
84 or (
85 profile.by_sender().any_messages_malicious_or_spam
86 and not profile.by_sender().any_false_positives
87 )
88 or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
89
90 // many extortion emails spoof sender domains and fail sender authentication
91 or any(headers.hops,
92 .authentication_results.dmarc == "fail"
93 or .authentication_results.compauth.verdict not in ("pass", "softpass")
94 )
95 )
96attack_types:
97 - "Extortion"
98tactics_and_techniques:
99 - "Social engineering"
100 - "Spoofing"
101detection_methods:
102 - "Computer Vision"
103 - "Content analysis"
104 - "File analysis"
105 - "Natural Language Understanding"
106 - "Optical Character Recognition"
107 - "Sender analysis"
108id: "3cb8d32c-7c35-5cf9-9a8c-5cb6a1c3bd62"