Corporate Services Impersonation Phishing

  1name: "Corporate Services Impersonation Phishing"
  2description: "Detects phishing attempts that impersonate corporate services such as HR, helpdesk, and benefits, using specific language in the subject or sender's name and containing suspicious links from low-reputation or mass-mailing domains."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  // use distinct "urls" (without query params) to determine number of links
  8  and 0 < length(distinct(body.links,
  9                          // strip out query params to determine 
 10                          // the unique number of links
 11                          strings.concat(.href_url.scheme,
 12                                         .href_url.domain.domain,
 13                                         .href_url.path
 14                          )
 15                 )
 16  ) <= 8
 17  
 18  // HR language found in subject
 19  and (
 20    (
 21      length(subject.subject) > 20
 22      and regex.icontains(subject.subject,
 23                          '(time.{0,4}sheet)|(employ|update(?:d| to)).{0,30}(benefit|handbook|comp\b|compensation|salary|pay(roll)?|policy|conduct|acknowl|PTO|vacation)'
 24      )
 25    )
 26  
 27    // or HR language found in sender
 28    or (
 29      regex.icontains(sender.display_name,
 30                      '(Employ|Time.{0,3}sheet|\bHR\b|Human R|Handbook|\bIT[- ]|Help.{0,3}Desk)|Internal.?Comm'
 31      )
 32      and not regex.icontains(sender.display_name,
 33                              "forum|employee voice|briefs|newsletter|screening"
 34      )
 35      and not regex.icontains(sender.display_name,
 36                              "HR (new|vue|view|tech admin|global)"
 37      )
 38    )
 39  )
 40    
 41  // suspicious display_text
 42  and (
 43    any(body.links,
 44        regex.icontains(.display_text,
 45                        '((verify|view|click|download|goto|keep|Vιew|release).{0,10}(request|here|attachment|current|download|fax|file|document|message|same)s?)'
 46        )
 47        and not strings.ilike(.display_text, "*unsub*")
 48        and not strings.ilike(.href_url.url, "*privacy-policy*")
 49        and not strings.ilike(.display_text, "*REGISTER*")
 50  
 51        // from a low reputation link
 52        and (
 53          not .href_url.domain.root_domain in $org_domains
 54          and (
 55            .href_url.domain.root_domain not in $tranco_1m
 56            or .href_url.domain.domain in $free_file_hosts
 57            or .href_url.domain.root_domain in $free_file_hosts
 58            or .href_url.domain.root_domain in $free_subdomain_hosts
 59            or .href_url.domain.domain in $url_shorteners
 60          )
 61          or 
 62          // or mass mailer link, masks the actual URL
 63          .href_url.domain.root_domain in (
 64            "hubspotlinks.com",
 65            "mandrillapp.com",
 66            "sendgrid.net",
 67            "rs6.net",
 68            "mailanyone.net",
 69          )
 70        )
 71    )
 72    // or credential theft confidence high
 73    or (
 74      length(body.links) > 0
 75      and any(ml.nlu_classifier(body.current_thread.text).intents,
 76              .name == "cred_theft" and .confidence == "high"
 77      )
 78      and not sender.email.domain.root_domain in (
 79        "servicenowservices.com",
 80        "workplaceextras.com",
 81        "tempo.io",
 82        "or.us"
 83      )
 84    )
 85  )
 86  // negate messages where "click here" was found and was a link actually an unsub link
 87  // this method allows for matching on other 'click here' links if they are present
 88  and not (
 89    length(filter(body.links, strings.icontains(.display_text, 'click here'))) > 0
 90    and (
 91      length(filter(body.links, strings.icontains(.display_text, 'click here'))) == strings.icount(body.current_thread.text,
 92                                                                                                   'click here to unsubscribe'
 93      )
 94    )
 95  )
 96  
 97  // negate highly trusted sender domains unless they fail DMARC authentication
 98  and (
 99    (
100      (
101        sender.email.domain.root_domain in $high_trust_sender_root_domains
102        or sender.email.domain.root_domain in $org_domains
103      )
104      and not headers.auth_summary.dmarc.pass
105    )
106    or (
107      sender.email.domain.root_domain not in $high_trust_sender_root_domains
108      and sender.email.domain.root_domain not in $org_domains
109    )
110  )
111  // not from sharepointonline actual
112  and not (
113    sender.email.domain.root_domain == "sharepointonline.com"
114    and strings.ends_with(headers.message_id, '@odspnotify>')
115    and strings.starts_with(headers.message_id, "<Spo")
116  )
117  // negate common helpdesk platforms
118  and not any(headers.domains, .root_domain in ("freshemail.io", "zendesk.com"))
119  // negate observed HR newsletters
120  and not (
121    any(headers.hops,
122        strings.icontains(.authentication_results.spf_details.designator,
123                          "constantcontact.com"
124        )
125    )
126    and strings.starts_with(sender.email.local_part, 'newsletters-hr')
127    and sender.email.domain.root_domain == "ccsend.com"
128  )
129  and (
130    not profile.by_sender().solicited
131    or (
132      profile.by_sender().any_messages_malicious_or_spam
133      and not profile.by_sender().any_false_positives
134    )
135  )
136  and not profile.by_sender().any_false_positives  
137attack_types:
138  - "Credential Phishing"
139tactics_and_techniques:
140  - "Impersonation: Employee"
141  - "Social engineering"
142detection_methods:
143  - "Content analysis"
144  - "Header analysis"
145  - "Natural Language Understanding"
146  - "Sender analysis"
147id: "3cd04f33-5519-5cc1-8740-e8ce6cddf8a0"