Extortion / sextortion (untrusted sender)

Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.

Sublime rule (View on GitHub)

  1name: "Extortion / sextortion (untrusted sender)"
  2description: |
  3    Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.
  4references:
  5  - "https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/"
  6type: "rule"
  7severity: "low"
  8source: |
  9  type.inbound
 10  and (
 11    (
 12      any(ml.nlu_classifier(strings.replace_confusables(body.current_thread.text)).intents,
 13          .name == "extortion" and .confidence == "high"
 14      )
 15      and any(ml.nlu_classifier(strings.replace_confusables(body.current_thread.text)).entities,
 16              .name == "financial"
 17      )
 18    )
 19    // manual indicators failsafe
 20    or 3 of (
 21      // malware terms
 22      regex.icontains(strings.replace_confusables(body.current_thread.text), "((spy|mal)ware|trojan|remote control)"),
 23      // actions recorded
 24      regex.icontains(strings.replace_confusables(body.current_thread.text),
 25                      "porn|adult (web)?site|webcam|masturbating|jerking off|pleasuring yourself|getting off"
 26      ),
 27      regex.icontains(strings.replace_confusables(body.current_thread.text), "pervert|perversion|masturbat"),
 28      // a timeframe to pay
 29      regex.icontains(strings.replace_confusables(body.current_thread.text), '\d\d hours', '(?:one|two|three|\d) days?'),
 30      // a promise from the actor
 31      regex.icontains(strings.replace_confusables(body.current_thread.text),
 32                        'permanently delete|(remove|destroy) (?:\w+\s*){0,4} (?:data|evidence|videos?)'
 33      ),
 34      // a threat from the actor
 35      regex.icontains(strings.replace_confusables(body.current_thread.text),
 36                        'sen[dt]\s*(?:\w+\s*){0,2}\s*to\s*(?:\w+\s*){0,3}\s*your contacts'),
 37      // bitcoin language (excluding newsletters)
 38      (
 39        regex.icontains(strings.replace_confusables(body.current_thread.text), 'bitcoin|\bbtc\b|blockchain')
 40        // negate cryptocurrency newsletters
 41        and not (
 42          any(body.links,
 43              strings.icontains(.display_text, "unsubscribe")
 44              and (
 45                strings.icontains(.href_url.path, "unsubscribe")
 46                // handle mimecast URL rewrites
 47                or (
 48                  .href_url.domain.root_domain == 'mimecastprotect.com'
 49                  and strings.icontains(.href_url.query_params,
 50                                        sender.email.domain.root_domain
 51                  )
 52                )
 53              )
 54          )
 55        )
 56      ),
 57      // bitcoin wallet address + threat
 58      (
 59        strings.icontains(strings.replace_confusables(body.current_thread.text),
 60                          "contact the police"
 61        )
 62        and regex.icontains(strings.replace_confusables(body.current_thread.text),
 63                            '(\b[13][a-km-zA-HJ-NP-Z0-9]{24,33}\b)|\bX[1-9A-HJ-NP-Za-km-z]{33}\b|\b(0x[a-fA-F0-9]{40})\b|\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b|\b[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b'
 64        )
 65      ),
 66      regex.icontains(strings.replace_confusables(body.current_thread.text), 'bc1q.{0,50}\b')
 67    )
 68  )
 69  and (
 70    not profile.by_sender().solicited
 71    or (
 72      profile.by_sender().any_messages_malicious_or_spam
 73      and not profile.by_sender().any_false_positives
 74    )
 75    or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
 76  
 77    // many extortion emails spoof sender domains and fail sender authentication
 78    or (
 79      not headers.auth_summary.dmarc.pass
 80      or headers.auth_summary.dmarc.pass is null
 81      or not headers.auth_summary.spf.pass
 82    )
 83  )
 84
 85  // negate benign newsletters that mention cyber extortion
 86  and not (
 87    any(body.links,
 88        strings.icontains(.display_text, "unsubscribe")
 89        and strings.icontains(.href_url.path, "unsubscribe")
 90        // newsletters are typically longer than the average extortion script
 91        and length(body.current_thread.text) > 2000
 92    )
 93  )
 94  and length(body.current_thread.text) < 6000  
 95
 96attack_types:
 97  - "Extortion"
 98tactics_and_techniques:
 99  - "Social engineering"
100  - "Spoofing"
101detection_methods:
102  - "Content analysis"
103  - "Header analysis"
104  - "Natural Language Understanding"
105  - "Sender analysis"
106id: "265913eb-2ccd-5f77-9a09-f6d8539fd2f6"
to-top