Extortion / sextortion (untrusted sender)

calendar Nov 14, 2024  ยท
Share on: linkedin copy

Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.

Sublime rule (View on GitHub)

 1name: "Extortion / sextortion (untrusted sender)"
 2description: |
 3    Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.
 4references:
 5  - "https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and (
11    (
12      any(ml.nlu_classifier(body.current_thread.text).intents,
13          .name == "extortion" and .confidence == "high"
14      )
15      and any(ml.nlu_classifier(body.current_thread.text).entities,
16              .name == "financial"
17      )
18    )
19    // manual indicators failsafe
20    or 3 of (
21      // malware terms
22      regex.icontains(body.current_thread.text, "((spy|mal)ware|trojan|remote control)"),
23      // actions recorded
24      regex.icontains(body.current_thread.text,
25                      "porn|adult (web)?site|webcam|masturbating|jerking off|pleasuring yourself|getting off"
26      ),
27      regex.icontains(body.current_thread.text, "pervert|perversion|masturbat"),
28      // a timeframe to pay
29      regex.icontains(body.current_thread.text, '\d\d hours', '(?:one|two|three|\d) days?'),
30      // a promise from the actor
31      regex.icontains(body.current_thread.text,
32                        'permanently delete|(remove|destroy) (?:\w+\s*){0,4} (?:data|evidence|videos?)'
33      ),
34      // a threat from the actor
35      regex.icontains(body.current_thread.text,
36                        'sen[dt]\s*(?:\w+\s*){0,2}\s*to\s*(?:\w+\s*){0,3}\s*your contacts'),
37      // bitcoin language (excluding newsletters)
38      (
39        regex.icontains(body.current_thread.text, 'bitcoin|\bbtc\b|blockchain')
40        // negate cryptocurrency newsletters
41        and not (
42          any(body.links,
43              strings.icontains(.display_text, "unsubscribe")
44              and (
45                strings.icontains(.href_url.path, "unsubscribe")
46                // handle mimecast URL rewrites
47                or (
48                  .href_url.domain.root_domain == 'mimecastprotect.com'
49                  and strings.icontains(.href_url.query_params,
50                                        sender.email.domain.root_domain
51                  )
52                )
53              )
54          )
55        )
56      ),
57      // bitcoin wallet address + threat
58      (
59        strings.icontains(body.current_thread.text,
60                          "contact the police"
61        )
62        and regex.icontains(body.current_thread.text,
63                            '(\b[13][a-km-zA-HJ-NP-Z0-9]{24,33}\b)|\bX[1-9A-HJ-NP-Za-km-z]{33}\b|\b(0x[a-fA-F0-9]{40})\b|\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b|\b[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b'
64        )
65      ),
66      regex.icontains(body.current_thread.text, 'bc1q.{0,50}\b')
67    )
68  )
69  and (
70    not profile.by_sender().solicited
71    or (
72      profile.by_sender().any_messages_malicious_or_spam
73      and not profile.by_sender().any_false_positives
74    )
75    or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
76  
77    // many extortion emails spoof sender domains and fail sender authentication
78    or (
79      not headers.auth_summary.dmarc.pass
80      or headers.auth_summary.dmarc.pass is null
81      or not headers.auth_summary.spf.pass
82    )
83  )
84  and length(body.current_thread.text) < 6000  
85
86attack_types:
87  - "Extortion"
88tactics_and_techniques:
89  - "Social engineering"
90  - "Spoofing"
91detection_methods:
92  - "Content analysis"
93  - "Header analysis"
94  - "Natural Language Understanding"
95  - "Sender analysis"
96id: "265913eb-2ccd-5f77-9a09-f6d8539fd2f6"
to-top