Extortion / sextortion (untrusted sender)
Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.
Sublime rule (View on GitHub)
1name: "Extortion / sextortion (untrusted sender)"
2description: |
3 Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.
4references:
5 - "https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/"
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 and (
11 (
12 any(ml.nlu_classifier(strings.replace_confusables(body.current_thread.text)).intents,
13 .name == "extortion" and .confidence == "high"
14 )
15 and any(ml.nlu_classifier(strings.replace_confusables(body.current_thread.text)).entities,
16 .name == "financial"
17 )
18 )
19 // manual indicators failsafe
20 or 3 of (
21 // malware terms
22 regex.icontains(strings.replace_confusables(body.current_thread.text), "((spy|mal)ware|trojan|remote control)"),
23 // actions recorded
24 regex.icontains(strings.replace_confusables(body.current_thread.text),
25 "porn|adult (web)?site|webcam|masturbating|jerking off|pleasuring yourself|getting off"
26 ),
27 regex.icontains(strings.replace_confusables(body.current_thread.text), "pervert|perversion|masturbat"),
28 // a timeframe to pay
29 regex.icontains(strings.replace_confusables(body.current_thread.text), '\d\d hours', '(?:one|two|three|\d) days?'),
30 // a promise from the actor
31 regex.icontains(strings.replace_confusables(body.current_thread.text),
32 'permanently delete|(remove|destroy) (?:\w+\s*){0,4} (?:data|evidence|videos?)'
33 ),
34 // a threat from the actor
35 regex.icontains(strings.replace_confusables(body.current_thread.text),
36 'sen[dt]\s*(?:\w+\s*){0,2}\s*to\s*(?:\w+\s*){0,3}\s*your contacts'),
37 // bitcoin language (excluding newsletters)
38 (
39 regex.icontains(strings.replace_confusables(body.current_thread.text), 'bitcoin|\bbtc\b|blockchain')
40 // negate cryptocurrency newsletters
41 and not (
42 any(body.links,
43 strings.icontains(.display_text, "unsubscribe")
44 and (
45 strings.icontains(.href_url.path, "unsubscribe")
46 // handle mimecast URL rewrites
47 or (
48 .href_url.domain.root_domain == 'mimecastprotect.com'
49 and strings.icontains(.href_url.query_params,
50 sender.email.domain.root_domain
51 )
52 )
53 )
54 )
55 )
56 ),
57 // bitcoin wallet address + threat
58 (
59 strings.icontains(strings.replace_confusables(body.current_thread.text),
60 "contact the police"
61 )
62 and regex.icontains(strings.replace_confusables(body.current_thread.text),
63 '(\b[13][a-km-zA-HJ-NP-Z0-9]{24,33}\b)|\bX[1-9A-HJ-NP-Za-km-z]{33}\b|\b(0x[a-fA-F0-9]{40})\b|\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b|\b[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b'
64 )
65 ),
66 regex.icontains(strings.replace_confusables(body.current_thread.text), 'bc1q.{0,50}\b')
67 )
68 )
69 and (
70 not profile.by_sender().solicited
71 or (
72 profile.by_sender().any_messages_malicious_or_spam
73 and not profile.by_sender().any_false_positives
74 )
75 or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
76
77 // many extortion emails spoof sender domains and fail sender authentication
78 or (
79 not headers.auth_summary.dmarc.pass
80 or headers.auth_summary.dmarc.pass is null
81 or not headers.auth_summary.spf.pass
82 )
83 )
84 and length(body.current_thread.text) < 6000
85
86attack_types:
87 - "Extortion"
88tactics_and_techniques:
89 - "Social engineering"
90 - "Spoofing"
91detection_methods:
92 - "Content analysis"
93 - "Header analysis"
94 - "Natural Language Understanding"
95 - "Sender analysis"
96id: "265913eb-2ccd-5f77-9a09-f6d8539fd2f6"