Extortion / sextortion (untrusted sender)
Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.
Sublime rule (View on GitHub)
1name: "Extortion / sextortion (untrusted sender)"
2description: |
3 Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.
4references:
5 - "https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/"
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 and length(filter(body.links, .display_text is not null)) < 10
11 and not (
12 ml.nlu_classifier(body.current_thread.text).language == "english"
13 and any(beta.ml_topic(body.html.display_text).topics,
14 .name in (
15 "News and Current Events",
16 "Newsletters and Digests",
17 "Advertising and Promotions"
18 )
19 and .confidence == "high"
20 )
21 )
22 and (
23 (
24 any(ml.nlu_classifier(strings.replace_confusables(body.current_thread.text)).intents,
25 .name == "extortion" and .confidence == "high"
26 )
27 and any(ml.nlu_classifier(strings.replace_confusables(body.current_thread.text
28 )
29 ).entities,
30 .name == "financial"
31 )
32 )
33 // manual indicators failsafe
34 or 3 of (
35 // malware terms
36 regex.icontains(strings.replace_confusables(body.current_thread.text),
37 "((spy|mal)ware|t[rŗ]ojan|remote control|infiltrat(ed|ion))"
38 ),
39 // actions recorded
40 regex.icontains(strings.replace_confusables(body.current_thread.text),
41 "po[rŗ]n|adult (web)?site|webcam|mastu[rŗ]bating|je[rŗ]king off|pleasu[rŗ]ing you[rŗ]self|getting off"
42 ),
43 regex.icontains(strings.replace_confusables(body.current_thread.text),
44 "pe[rŗ]ve[rŗ]t|pe[rŗ]ve[rŗ]sion|mastu[rŗ]bat"
45 ),
46 // a timeframe to pay
47 regex.icontains(strings.replace_confusables(body.current_thread.text),
48 '[ilo0-9]{2} (?:hou[rŗ]s|uu[rŗ])',
49 '(?:one|two|th[rŗ]ee|\d) days?'
50 ),
51 // a promise from the actor
52 regex.icontains(strings.replace_confusables(body.current_thread.text),
53 '(?:pe[rŗ]manently|will) delete|([rŗ]emove|destroy) (?:\w+\s*){0,4} (?:data|evidence|videos?)'
54 ),
55 // a threat from the actor
56 regex.icontains(strings.replace_confusables(body.current_thread.text),
57 'sen[dt]\s*(?:\w+\s*){0,2}\s*to\s*(?:\w+\s*){0,3}\s*.{0,10}(contacts|media|family|friends)'
58 ),
59 // bitcoin language (excluding newsletters)
60 (
61 regex.icontains(strings.replace_confusables(body.current_thread.text),
62 'bitc[oöة]+in|\bbtc\b|blockchain'
63 )
64 // negate cryptocurrency newsletters
65 and not (
66 any(body.links,
67 strings.icontains(.display_text, "unsubscribe")
68 and (
69 strings.icontains(.href_url.path, "unsubscribe")
70 // handle mimecast URL rewrites
71 or (
72 .href_url.domain.root_domain == 'mimecastprotect.com'
73 and strings.icontains(.href_url.query_params,
74 sender.email.domain.root_domain
75 )
76 )
77 )
78 )
79 )
80 ),
81 (
82 regex.icontains(strings.replace_confusables(body.current_thread.text),
83 '(?:contact the police|(?:bitcoin|\bbtc\b).{0,20}wallet)'
84 )
85 and regex.icontains(strings.replace_confusables(body.current_thread.text),
86 '(\b[13][a-km-zA-HJ-NP-Z0-9]{24,34}\b)|\bX[1-9A-HJ-NP-Za-km-z]{33}\b|\b(0x[a-fA-F0-9]{40})\b|\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b|\b[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b'
87 )
88 ),
89 regex.icontains(strings.replace_confusables(body.current_thread.text),
90 'bc1q.{0,50}\b'
91 )
92 )
93 )
94 and (
95 not profile.by_sender().solicited
96 or (
97 profile.by_sender().any_messages_malicious_or_spam
98 and not profile.by_sender().any_false_positives
99 )
100 or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
101
102 // many extortion emails spoof sender domains and fail sender authentication
103 or (
104 not headers.auth_summary.dmarc.pass
105 or headers.auth_summary.dmarc.pass is null
106 or not headers.auth_summary.spf.pass
107 )
108 )
109
110 // negate benign newsletters that mention cyber extortion
111 and not (
112 any(body.links,
113 strings.icontains(.display_text, "unsubscribe")
114 and strings.icontains(.href_url.path, "unsubscribe")
115 // newsletters are typically longer than the average extortion script
116 and length(body.current_thread.text) > 2000
117 )
118 )
119 and length(body.current_thread.text) < 6000
120attack_types:
121 - "Extortion"
122tactics_and_techniques:
123 - "Social engineering"
124 - "Spoofing"
125detection_methods:
126 - "Content analysis"
127 - "Header analysis"
128 - "Natural Language Understanding"
129 - "Sender analysis"
130id: "265913eb-2ccd-5f77-9a09-f6d8539fd2f6"