Extortion / sextortion (untrusted sender)
Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.
Sublime rule (View on GitHub)
1name: "Extortion / sextortion (untrusted sender)"
2description: |
3 Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.
4references:
5 - "https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/"
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 and (
11 (
12 any(ml.nlu_classifier(body.current_thread.text).intents,
13 .name == "extortion" and .confidence == "high"
14 )
15 and any(ml.nlu_classifier(body.current_thread.text).entities,
16 .name == "financial"
17 )
18 )
19 // manual indicators failsafe
20 or 3 of (
21 regex.icontains(body.current_thread.text, "((spy|mal)ware|trojan)"),
22 regex.icontains(body.current_thread.text,
23 "porn|adult (web)?site|webcam|masturbating|jerking off|pleasuring yourself|getting off"
24 ),
25 regex.icontains(body.current_thread.text, "pervert|perversion|masturbat"),
26 regex.icontains(body.current_thread.text, '\d\d hours'),
27 strings.icontains(body.current_thread.text, "permanently delete"),
28 (
29 regex.icontains(body.current_thread.text, 'bitcoin|\bbtc\b|blockchain')
30 // negate cryptocurrency newsletters
31 and not (
32 any(body.links,
33 strings.icontains(.display_text, "unsubscribe")
34 and (
35 strings.icontains(.href_url.path, "unsubscribe")
36 // handle mimecast URL rewrites
37 or (
38 .href_url.domain.root_domain == 'mimecastprotect.com'
39 and strings.icontains(.href_url.query_params,
40 sender.email.domain.root_domain
41 )
42 )
43 )
44 )
45 )
46 ),
47 (
48 strings.icontains(body.current_thread.text, "contact the police")
49 and regex.icontains(body.current_thread.text,
50 '(\b[13][a-km-zA-HJ-NP-Z0-9]{24,33}\b)|\bX[1-9A-HJ-NP-Za-km-z]{33}\b|\b(0x[a-fA-F0-9]{40})\b|\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b|\b[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b'
51 )
52 ),
53 regex.icontains(body.current_thread.text, 'bc1q.{0,50}\b')
54 )
55 )
56 and (
57 not profile.by_sender().solicited
58 or (
59 profile.by_sender().any_messages_malicious_or_spam
60 and not profile.by_sender().any_false_positives
61 )
62 or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
63
64 // many extortion emails spoof sender domains and fail sender authentication
65 or (
66 not headers.auth_summary.dmarc.pass
67 or headers.auth_summary.dmarc.pass is null
68 or not headers.auth_summary.spf.pass
69 )
70 )
71 and length(body.current_thread.text) < 6000
72
73attack_types:
74 - "Extortion"
75tactics_and_techniques:
76 - "Social engineering"
77 - "Spoofing"
78detection_methods:
79 - "Content analysis"
80 - "Header analysis"
81 - "Natural Language Understanding"
82 - "Sender analysis"
83id: "265913eb-2ccd-5f77-9a09-f6d8539fd2f6"