Extortion / Sextortion in Attachment From Untrusted Sender
Detects extortion and sextortion attempts by analyzing attachment text from an untrusted sender.
Sublime rule (View on GitHub)
1name: "Extortion / Sextortion in Attachment From Untrusted Sender"
2description: "Detects extortion and sextortion attempts by analyzing attachment text from an untrusted sender."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 and length(attachments) < 2
8 and (
9 length(body.current_thread.text) < 500
10 or (
11 length(ml.nlu_classifier(body.current_thread.text).intents) > 0
12 and any(ml.nlu_classifier(body.current_thread.text).intents,
13 .name != "benign"
14 )
15 )
16 )
17 and any(attachments,
18 // use ocr output from file.explode on pdfs/images
19 (
20 (.file_type in $file_types_images or .file_type == "pdf")
21 and any(filter(file.explode(.), .scan.ocr.raw is not null),
22 (
23 any(ml.nlu_classifier(.scan.ocr.raw).intents,
24 .name == "extortion" and .confidence == "high"
25 )
26 and any(ml.nlu_classifier(.scan.ocr.raw).entities,
27 .name == "financial"
28 )
29 )
30 or 3 of (
31 // malware terms
32 regex.icontains(.scan.ocr.raw,
33 "((spy|mal)ware|trojan|remote control)"
34 ),
35 // actions recorded
36 regex.icontains(.scan.ocr.raw,
37 "porn|adult (web)?site|webcam|masturbating|jerking off|pleasuring yourself|getting off"
38 ),
39 regex.icontains(.scan.ocr.raw,
40 "pervert|perversion|masturbat"
41 ),
42 // a timeframe to pay
43 regex.icontains(.scan.ocr.raw,
44 '\d\d hours',
45 '(?:one|two|three) days?'
46 ),
47 // a promise from the actor
48 regex.icontains(.scan.ocr.raw,
49 'permanently delete|destroy (?:\w+\s*){0,4} (?:data|evidence|videos?)'
50 ),
51 // a threat from the actor
52 regex.icontains(.scan.ocr.raw,
53 'sen[dt]\s*(?:\w+\s*){0,2}\s*to\s*(?:\w+\s*){0,3}\s*your contacts'
54 ),
55 // bitcoin
56 (
57 regex.icontains(.scan.ocr.raw,
58 'bitcoin|\bbtc\b|blockchain'
59 )
60 // negate cryptocurrency newsletters
61 and not (
62 any(body.links,
63 strings.icontains(.display_text, "unsubscribe")
64 and (
65 strings.icontains(.href_url.path, "unsubscribe")
66 // handle mimecast URL rewrites
67 or (
68 .href_url.domain.root_domain == 'mimecastprotect.com'
69 and strings.icontains(.href_url.query_params,
70 sender.email.domain.root_domain
71 )
72 )
73 )
74 )
75 )
76 ),
77 // bitcoin wallet address + threat
78 (
79 strings.icontains(.scan.ocr.raw, "contact the police")
80 and regex.icontains(.scan.ocr.raw,
81 '(\b[13][a-km-zA-HJ-NP-Z0-9]{24,33}\b)|\bX[1-9A-HJ-NP-Za-km-z]{33}\b|\b(0x[a-fA-F0-9]{40})\b|\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b|\b[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b'
82 )
83 ),
84 regex.icontains(.scan.ocr.raw, 'bc1q.{0,50}\b')
85 )
86 )
87 )
88 or
89 // use beta.parse_text on plain text files
90 (
91 (
92 .file_extension in ("txt")
93 and (
94 (
95 any(ml.nlu_classifier(file.parse_text(.).text).intents,
96 .name == "extortion" and .confidence == "high"
97 )
98 and any(ml.nlu_classifier(file.parse_text(.).text).entities,
99 .name == "financial"
100 )
101 )
102 or 3 of (
103 // malware terms
104 regex.icontains(beta.parse_text(.).text,
105 "((spy|mal)ware|trojan|remote control)"
106 ),
107 // actions recorded
108 regex.icontains(beta.parse_text(.).text,
109 "porn|adult (web)?site|webcam|masturbating|jerking off|pleasuring yourself|getting off"
110 ),
111 regex.icontains(beta.parse_text(.).text,
112 "pervert|perversion|masturbat"
113 ),
114 // a timeframe to pay
115 regex.icontains(beta.parse_text(.).text,
116 '\d\d hours',
117 '(?:one|two|three) days?'
118 ),
119 // a promise from the actor
120 regex.icontains(beta.parse_text(.).text,
121 'permanently delete|destroy (?:\w+\s*){0,4} (?:data|evidence|videos?)'
122 ),
123 // a threat from the actor
124 regex.icontains(beta.parse_text(.).text,
125 'sen[dt]\s*(?:\w+\s*){0,2}\s*to\s*(?:\w+\s*){0,3}\s*your contacts'
126 ),
127 // bitcoin
128 (
129 regex.icontains(beta.parse_text(.).text,
130 'bitcoin|\bbtc\b|blockchain'
131 )
132 // negate cryptocurrency newsletters
133 and not (
134 any(body.links,
135 strings.icontains(.display_text, "unsubscribe")
136 and (
137 strings.icontains(.href_url.path, "unsubscribe")
138 // handle mimecast URL rewrites
139 or (
140 .href_url.domain.root_domain == 'mimecastprotect.com'
141 and strings.icontains(.href_url.query_params,
142 sender.email.domain.root_domain
143 )
144 )
145 )
146 )
147 )
148 ),
149 // bitcoin wallet address + threat
150 (
151 strings.icontains(beta.parse_text(.).text,
152 "contact the police"
153 )
154 and regex.icontains(beta.parse_text(.).text,
155 '(\b[13][a-km-zA-HJ-NP-Z0-9]{24,33}\b)|\bX[1-9A-HJ-NP-Za-km-z]{33}\b|\b(0x[a-fA-F0-9]{40})\b|\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b|\b[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b'
156 )
157 ),
158 regex.icontains(beta.parse_text(.).text, 'bc1q.{0,50}\b')
159 )
160 )
161 )
162 )
163 )
164 and (
165 not profile.by_sender().solicited
166 or (
167 profile.by_sender().any_messages_malicious_or_spam
168 and not profile.by_sender().any_false_positives
169 )
170 or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
171
172 // many extortion emails spoof sender domains and fail sender authentication
173 or any(headers.hops,
174 .authentication_results.dmarc == "fail"
175 or .authentication_results.compauth.verdict not in ("pass", "softpass")
176 )
177 )
178attack_types:
179 - "Extortion"
180tactics_and_techniques:
181 - "Social engineering"
182 - "Spoofing"
183detection_methods:
184 - "Computer Vision"
185 - "Content analysis"
186 - "File analysis"
187 - "Natural Language Understanding"
188 - "Optical Character Recognition"
189 - "Sender analysis"
190id: "3cb8d32c-7c35-5cf9-9a8c-5cb6a1c3bd62"