Extortion / Sextortion in Attachment From Untrusted Sender

Detects extortion and sextortion attempts by analyzing attachment text from an untrusted sender.

Sublime rule (View on GitHub)

 1name: "Extortion / Sextortion in Attachment From Untrusted Sender"
 2description: "Detects extortion and sextortion attempts by analyzing attachment text from an untrusted sender."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and length(attachments) < 2
 8  and (
 9    length(body.current_thread.text) < 500
10    or (
11      length(ml.nlu_classifier(body.current_thread.text).intents) > 0
12      and any(ml.nlu_classifier(body.current_thread.text).intents,
13              .name != "benign"
14      )
15    )
16  )
17  and any(attachments,
18          (.file_type in $file_types_images or .file_type == "pdf")
19          and any(file.explode(.),
20                  (
21                    any(ml.nlu_classifier(.scan.ocr.raw).intents,
22                        .name == "extortion" and .confidence == "high"
23                    )
24                    and any(ml.nlu_classifier(.scan.ocr.raw).entities,
25                            .name == "financial"
26                    )
27                  )
28                  or 3 of (
29                    regex.icontains(.scan.ocr.raw, "((spy|mal)ware|trojan)"),
30                    regex.icontains(.scan.ocr.raw,
31                                    "porn|adult (web)?site|webcam|masturbating|jerking off|pleasuring yourself|getting off"
32                    ),
33                    regex.icontains(.scan.ocr.raw, "pervert|perversion"),
34                    regex.icontains(.scan.ocr.raw, '\d\d hours'),
35                    strings.icontains(.scan.ocr.raw, "permanently delete"),
36                    (
37                      strings.icontains(.scan.ocr.raw, "contact the police")
38                      and regex.icontains(.scan.ocr.raw,
39                                          '(\b[13][a-km-zA-HJ-NP-Z0-9]{24,33}\b)|\bX[1-9A-HJ-NP-Za-km-z]{33}\b|\b(0x[a-fA-F0-9]{40})\b|\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b|\b[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b'
40                      )
41                    ),
42                    regex.icontains(.scan.ocr.raw, 'bc1q.{0,50}\b')
43                  )
44          )
45  )
46  and (
47    profile.by_sender().prevalence in ("new", "outlier")
48    or (
49      profile.by_sender().any_messages_malicious_or_spam
50      and not profile.by_sender().any_false_positives
51    )
52    or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
53  
54    // many extortion emails spoof sender domains and fail sender authentication
55    or any(headers.hops,
56           .authentication_results.dmarc == "fail"
57           or .authentication_results.compauth.verdict not in ("pass", "softpass")
58    )
59  )
60    
61
62attack_types:
63  - "Extortion"
64tactics_and_techniques:
65  - "Social engineering"
66  - "Spoofing"
67detection_methods:
68  - "Computer Vision"
69  - "Content analysis"
70  - "File analysis"
71  - "Natural Language Understanding"
72  - "Optical Character Recognition"
73  - "Sender analysis"
74id: "3cb8d32c-7c35-5cf9-9a8c-5cb6a1c3bd62"
to-top