Brand impersonation: Survey request with credential theft indicators
Detects messages containing credential theft language disguised as survey requests from promotional content, targeting organizations from untrusted or spoofed high-trust domains.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Survey request with credential theft indicators"
2description: "Detects messages containing credential theft language disguised as survey requests from promotional content, targeting organizations from untrusted or spoofed high-trust domains."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 any(ml.nlu_classifier(body.current_thread.text).intents,
9 .name == "cred_theft" and .confidence == "high"
10 )
11 or any(ml.nlu_classifier(body.current_thread.text).entities,
12 .name == "org" and .text == 'AAA'
13 )
14 or any(ml.nlu_classifier(body.current_thread.text).entities,
15 .name == "request" and strings.icontains(.text, 'Claim Your Free Kit')
16 )
17 or length(filter(ml.nlu_classifier(body.current_thread.text).entities,
18 .name == "financial"
19 and regex.icontains(.text, '\d{2}%\s*discount$')
20 )
21 ) >= 2
22 )
23 and any(ml.nlu_classifier(body.current_thread.text).topics,
24 .name == "Advertising and Promotions" and .confidence != "low"
25 )
26 and any(ml.nlu_classifier(body.current_thread.text).entities,
27 .name in ("request", "org") and strings.icontains(.text, "survey")
28 )
29 // and the sender is not from high trust sender root domains
30 and (
31 (
32 sender.email.domain.root_domain in $high_trust_sender_root_domains
33 and not headers.auth_summary.dmarc.pass
34 )
35 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
36 )
37attack_types:
38 - "Credential Phishing"
39tactics_and_techniques:
40 - "Social engineering"
41 - "Impersonation: Brand"
42 - "Spoofing"
43detection_methods:
44 - "Content analysis"
45 - "Header analysis"
46 - "Natural Language Understanding"
47 - "Sender analysis"
48id: "ea1c0e09-ef3d-5c30-b5c1-ffa1b71a7b88"