Brand impersonation: Survey request with credential theft indicators

 1name: "Brand impersonation: Survey request with credential theft indicators"
 2description: "Detects messages containing credential theft language disguised as survey requests from promotional content, targeting organizations from untrusted or spoofed high-trust domains."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(ml.nlu_classifier(body.current_thread.text).intents,
 8          .name == "cred_theft" and .confidence == "high"
 9  )
10  and any(ml.nlu_classifier(body.current_thread.text).topics,
11          .name == "Advertising and Promotions" and .confidence != "low"
12  )
13  and any(ml.nlu_classifier(body.current_thread.text).entities,
14          .name in ("request", "org") and strings.icontains(.text, "survey")
15  )
16  // and the sender is not from high trust sender root domains
17  and (
18    (
19      sender.email.domain.root_domain in $high_trust_sender_root_domains
20      and not headers.auth_summary.dmarc.pass
21    )
22    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
23  )  
24
25attack_types:
26  - "Credential Phishing"
27tactics_and_techniques:
28  - "Social engineering"
29  - "Impersonation: Brand"
30  - "Spoofing"
31detection_methods:
32  - "Content analysis"
33  - "Header analysis"
34  - "Natural Language Understanding"
35  - "Sender analysis"
36id: "ea1c0e09-ef3d-5c30-b5c1-ffa1b71a7b88"