Extortion / sextortion (untrusted sender)

Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.

Sublime rule (View on GitHub)

  1name: "Extortion / sextortion (untrusted sender)"
  2description: |
  3    Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.
  4references:
  5  - "https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/"
  6type: "rule"
  7severity: "low"
  8source: |
  9  type.inbound
 10  and length(filter(body.links, .display_text is not null)) < 10
 11  and not (
 12    ml.nlu_classifier(body.current_thread.text).language == "english"
 13    and any(beta.ml_topic(body.html.display_text).topics,
 14            .name in (
 15              "News and Current Events",
 16              "Newsletters and Digests",
 17              "Advertising and Promotions"
 18            )
 19            and .confidence in ("high", "medium")
 20    )
 21  )
 22  and (
 23  (
 24      any(ml.nlu_classifier(strings.replace_confusables(body.current_thread.text)).intents,
 25          .name == "extortion" and .confidence == "high"
 26      )
 27      and any(ml.nlu_classifier(strings.replace_confusables(body.current_thread.text
 28                                )
 29              ).entities,
 30              .name == "financial"
 31      )
 32    )
 33    // manual indicators failsafe
 34    or 3 of (
 35      // malware terms
 36      regex.icontains(strings.replace_confusables(body.current_thread.text),
 37                      "(?:(?:spy|mal)ware|t[rŗ]ojan|remote control|infiltrat(?:ed|ion)|backdoor|intruder|(?:your|the).{0,15}(?:device|system|computer|phone).{0,10}(?:became|was|got|is).{0,5}comprom[ḯiïíįī]sed|prov[ḯiïíįī]d[ḯiïíįī]ng.{0,20}full [aảǡą]ccess)"
 38      ),
 39      // actions recorded
 40      regex.icontains(strings.replace_confusables(body.current_thread.text),
 41                      "(?:po[rŗ]n|a[dȡ]ult (?:web)?site|webcam|mastu[rŗ]bating|je[rŗ]king off|pleasu[rŗ]ing you[rŗ]self|getting off|explicit|cl[ḯiïíįī]ps.{0,20}screenshots)"
 42  
 43      ),
 44      regex.icontains(strings.replace_confusables(body.current_thread.text),
 45                      "(?:pe[rŗ]ve[rŗ]t|pe[rŗ]ve[rŗ]sion|mastu[rŗ]bat)"
 46      ),
 47      // a timeframe to pay
 48      regex.icontains(strings.replace_confusables(body.current_thread.text),
 49                      '[ilo0-9]{2} (?:hou[rŗ]s|uu[rŗ])',
 50                      '(?:one|two|th[rŗ]ee|\d) d[aảǡą]ys?'
 51      ),
 52      // a promise from the actor
 53      regex.icontains(strings.replace_confusables(body.current_thread.text),
 54                      '(?:pe[rŗ]manently|will|I''ll) delete|([rŗ]emove|destroy) (?:[\p{L}\p{M}\p{N}]+\s*){0,4} (?:data|ev[ḯiïįīí]dence|v[ḯiïíįī]deos?)'
 55      ),
 56      // a threat from the actor
 57      regex.icontains(strings.replace_confusables(body.current_thread.text),
 58                      '(?:\bsen[dt]|forward|expose)\s*(?:[\p{L}\p{N}]+\s*){0,5}\s*to\s*(?:[\p{L}\p{N}]+\s*){0,5}(?:contacts|media|family|friends|coworkers|associates)'
 59      ),
 60      // bitcoin language (excluding newsletters)
 61      (
 62        regex.icontains(strings.replace_confusables(body.current_thread.text),
 63                        'bitc[oöة]+in|\bbtc\b|blockchain'
 64        )
 65        // negate cryptocurrency newsletters
 66        and not (
 67          any(body.links,
 68              strings.icontains(.display_text, "unsubscribe")
 69              and (
 70                strings.icontains(.href_url.path, "unsubscribe")
 71                // handle mimecast URL rewrites
 72                or (
 73                  .href_url.domain.root_domain == 'mimecastprotect.com'
 74                  and strings.icontains(.href_url.query_params,
 75                                        sender.email.domain.root_domain
 76                  )
 77                )
 78              )
 79          )
 80        )
 81      ),
 82      (
 83        regex.icontains(strings.replace_confusables(body.current_thread.text),
 84                        '(?:contact the police|(?:bitcoin|\bbtc\b).{0,20}wallet)'
 85        )
 86        and regex.icontains(strings.replace_confusables(body.current_thread.text),
 87                            '(?:\b[13][a-km-zA-HJ-NP-Z0-9]{24,34}\b)|\bX[1-9A-HJ-NP-Za-km-z]{33}\b|\b(?:0x[a-fA-F0-9]{40})\b|\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b|\b[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b'
 88        )
 89      ),
 90      regex.icontains(strings.replace_confusables(body.current_thread.text),
 91                      'bc1q.{0,50}\b'
 92      )
 93    )
 94  )
 95  and (
 96    not profile.by_sender().solicited
 97    or (
 98      profile.by_sender().any_messages_malicious_or_spam
 99      and not profile.by_sender().any_messages_benign
100    )
101    or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
102  
103    // many extortion emails spoof sender domains and fail sender authentication
104    or (
105      not headers.auth_summary.dmarc.pass
106      or headers.auth_summary.dmarc.pass is null
107      or not headers.auth_summary.spf.pass
108    )
109  )
110  
111  // negate benign newsletters that mention cyber extortion
112  and not (
113    any(body.links,
114        strings.icontains(.display_text, "unsubscribe")
115        and strings.icontains(.href_url.path, "unsubscribe")
116        // newsletters are typically longer than the average extortion script
117        and length(body.current_thread.text) > 2000
118    )
119  )
120  and length(body.current_thread.text) < 6000
121  // negate highly trusted sender domains unless they fail DMARC authentication
122  and (
123    (
124      sender.email.domain.root_domain in $high_trust_sender_root_domains
125      and not headers.auth_summary.dmarc.pass
126    )
127    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
128  )  
129
130attack_types:
131  - "Extortion"
132tactics_and_techniques:
133  - "Social engineering"
134  - "Spoofing"
135detection_methods:
136  - "Content analysis"
137  - "Header analysis"
138  - "Natural Language Understanding"
139  - "Sender analysis"
140id: "265913eb-2ccd-5f77-9a09-f6d8539fd2f6"
to-top