Brand impersonation: Survey request with credential theft indicators

Detects messages containing credential theft language disguised as survey requests from promotional content, targeting organizations from untrusted or spoofed high-trust domains.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Survey request with credential theft indicators"
 2description: "Detects messages containing credential theft language disguised as survey requests from promotional content, targeting organizations from untrusted or spoofed high-trust domains."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    any(ml.nlu_classifier(body.current_thread.text).intents,
 9        .name == "cred_theft" and .confidence == "high"
10    )
11    or any(ml.nlu_classifier(body.current_thread.text).entities,
12           .name == "org" and .text == 'AAA'
13    )
14    or any(ml.nlu_classifier(body.current_thread.text).entities,
15           .name == "request" and strings.icontains(.text, 'Claim Your Free Kit')
16    )
17    or length(filter(ml.nlu_classifier(body.current_thread.text).entities,
18                     .name == "financial"
19                     and regex.icontains(.text, '\d{2}%\s*discount$')
20              )
21    ) >= 2
22  )
23  and any(ml.nlu_classifier(body.current_thread.text).topics,
24          .name == "Advertising and Promotions" and .confidence != "low"
25  )
26  and any(ml.nlu_classifier(body.current_thread.text).entities,
27          .name in ("request", "org") and strings.icontains(.text, "survey")
28  )
29  // and the sender is not from high trust sender root domains
30  and (
31    (
32      sender.email.domain.root_domain in $high_trust_sender_root_domains
33      and not headers.auth_summary.dmarc.pass
34    )
35    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
36  )  
37attack_types:
38  - "Credential Phishing"
39tactics_and_techniques:
40  - "Social engineering"
41  - "Impersonation: Brand"
42  - "Spoofing"
43detection_methods:
44  - "Content analysis"
45  - "Header analysis"
46  - "Natural Language Understanding"
47  - "Sender analysis"
48id: "ea1c0e09-ef3d-5c30-b5c1-ffa1b71a7b88"
to-top