Constant Contact link infrastructure abuse

  1name: "Constant Contact link infrastructure abuse"
  2description: "Email contains a Constant Contact (mass mailing platform) tracking link but does not originate from Constant Contact sending infrastructure. The rs6.net domain has been abused by threat actors to attempt credential phishing."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      length(body.links) < 15
 10      and any(body.links, .href_url.domain.root_domain == "rs6.net")
 11    )
 12    or (
 13      length(attachments) <= 3
 14      and (
 15        any(attachments,
 16            (.file_type in $file_types_images or .file_type == "pdf")
 17            and any(file.explode(.),
 18                    .scan.qr.type is not null
 19                    and .scan.qr.url.domain.root_domain == "rs6.net"
 20                    // exclude images taken with mobile cameras and screenshots from android
 21                    and not any(.scan.exiftool.fields,
 22                                .key == "Model"
 23                                or (
 24                                  .key == "Software"
 25                                  and strings.starts_with(.value, "Android")
 26                                )
 27                    )
 28                    // exclude images taken with mobile cameras and screenshots from Apple
 29                    and not any(.scan.exiftool.fields,
 30                                .key == "DeviceManufacturer"
 31                                and .value == "Apple Computer Inc."
 32                    )
 33            )
 34        )
 35        or (
 36          length(attachments) == 0
 37          and any(file.explode(beta.message_screenshot()),
 38                  .scan.exiftool.image_height < 2000
 39                  and .scan.exiftool.image_width < 2000
 40                  and .scan.qr.type is not null
 41                  and .scan.qr.url.domain.root_domain == "rs6.net"
 42          )
 43        )
 44      )
 45    )
 46  )
 47  and not (
 48    any(headers.hops,
 49        strings.icontains(.authentication_results.spf_details.designator,
 50                          "constantcontact.com"
 51        )
 52    )
 53    or any(headers.hops,
 54           strings.icontains(.received_spf.designator, "constantcontact.com")
 55    )
 56    or (
 57      (
 58        any(headers.hops,
 59            .index == 0
 60            and any(.authentication_results.dkim_details,
 61                    .domain == "auth.ccsend.com"
 62            )
 63        )
 64      )
 65      and headers.auth_summary.dmarc.pass
 66      )
 67    or any(headers.references, strings.iends_with(., "ccsend.com"))
 68  )
 69  // negating legit replies
 70  and not (
 71    (
 72      strings.istarts_with(subject.subject, "RE:")
 73      or strings.istarts_with(subject.subject, "FW:")
 74      or strings.istarts_with(subject.subject, "FWD:")
 75      or strings.istarts_with(subject.subject, "Automatic reply:")
 76      or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*')
 77    )
 78    and (
 79      length(headers.references) > 0
 80      or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
 81    )
 82  )
 83  // negate highly trusted sender domains unless they fail DMARC authentication
 84  and (
 85    (
 86      sender.email.domain.root_domain in $high_trust_sender_root_domains
 87      and not headers.auth_summary.dmarc.pass
 88    )
 89    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 90  )
 91  and profile.by_sender().prevalence in ("new", "outlier", "rare")  
 92
 93
 94attack_types:
 95  - "Credential Phishing"
 96tactics_and_techniques:
 97  - "Free email provider"
 98  - "Open redirect"
 99  - "Social engineering"
100detection_methods:
101  - "Content analysis"
102  - "Header analysis"
103  - "QR code analysis"
104  - "Sender analysis"
105id: "8c5e8e4c-c610-5ece-b82a-214c637cba09"