Corporate Services Impersonation Phishing

calendar Nov 5, 2024  ·
Share on: linkedin copy

Detects phishing attempts that impersonate corporate services such as HR, helpdesk, and benefits, using specific language in the subject or sender's name and containing suspicious links from low-reputation or mass-mailing domains.

Sublime rule (View on GitHub)

  1name: "Corporate Services Impersonation Phishing"
  2description: "Detects phishing attempts that impersonate corporate services such as HR, helpdesk, and benefits, using specific language in the subject or sender's name and containing suspicious links from low-reputation or mass-mailing domains."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and 0 < length(body.links) < 8
  8
  9  // HR language found in subject
 10  and (
 11    (
 12      length(subject.subject) > 20
 13      and regex.icontains(subject.subject,
 14                          '(time.{0,4}sheet)|(employ).{0,30}(benefit|handbook|comp\b|compensation|salary|pay(roll)?|policy|conduct|acknowl|PTO|vacation)'
 15      )
 16    )
 17
 18    // or HR language found in sender
 19    or (
 20      regex.icontains(sender.display_name,
 21                      '(Employ|Time.{0,3}sheet|\bHR\b|Human R|Handbook|\bIT[- ]|Help.{0,3}Desk)'
 22      )
 23      and not regex.icontains(sender.display_name,
 24                              "forum|employee voice|briefs|newsletter|screening"
 25      )
 26      and not regex.icontains(sender.display_name, "HR (new|vue|view|tech admin|global)")
 27    )
 28  )
 29
 30  // suspicious display_text
 31  and (
 32  any(body.links,
 33      regex.icontains(.display_text,
 34                      '((verify|view|click|download|goto|keep|Vιew|release).{0,10}(request|here|attachment|current|download|fax|file|document|message|same)s?)'
 35      )
 36      and not strings.ilike(.display_text, "*unsub*")
 37      and not strings.ilike(.href_url.url, "*privacy-policy*")
 38      and not strings.ilike(.display_text, "*REGISTER*")
 39  
 40      // from a low reputation link
 41      and (
 42        not .href_url.domain.root_domain in $org_domains
 43        and (
 44          .href_url.domain.root_domain not in $tranco_1m
 45          or .href_url.domain.domain in $free_file_hosts
 46          or .href_url.domain.root_domain in $free_file_hosts
 47          or .href_url.domain.root_domain in $free_subdomain_hosts
 48          or .href_url.domain.domain in $url_shorteners
 49        )
 50        or 
 51        // or mass mailer link, masks the actual URL
 52        .href_url.domain.root_domain in (
 53          "hubspotlinks.com",
 54          "mandrillapp.com",
 55          "sendgrid.net",
 56          "rs6.net",
 57          "mailanyone.net",
 58        )
 59      )
 60  )
 61    // or credential theft confidence high
 62    or (
 63      length(body.links) > 0
 64      and any(ml.nlu_classifier(body.current_thread.text).intents,
 65              .name == "cred_theft" and .confidence == "high"
 66      )
 67      and not sender.email.domain.root_domain in (
 68        "servicenowservices.com",
 69        "workplaceextras.com",
 70        "tempo.io",
 71        "or.us"
 72      )
 73    )
 74  )
 75  // negate messages where "click here" was found and was a link actually an unsub link
 76  // this method allows for matching on other 'click here' links if they are present
 77  and not (
 78      length(filter(body.links, strings.icontains(.display_text, 'click here'))) > 0
 79      and (
 80        length(filter(body.links, strings.icontains(.display_text, 'click here')))
 81        ==
 82        strings.icount(body.current_thread.text, 'click here to unsubscribe')
 83      )
 84  )
 85
 86  // negate highly trusted sender domains unless they fail DMARC authentication
 87  and (
 88    (
 89      (
 90        sender.email.domain.root_domain in $high_trust_sender_root_domains
 91        or sender.email.domain.root_domain in $org_domains
 92      )
 93      and not headers.auth_summary.dmarc.pass
 94    )
 95    or (
 96      sender.email.domain.root_domain not in $high_trust_sender_root_domains
 97      and sender.email.domain.root_domain not in $org_domains
 98    )
 99  )
100  // not from sharepointonline actual
101  and not (
102      sender.email.domain.root_domain == "sharepointonline.com" and 
103      strings.ends_with(headers.message_id, '@odspnotify>') and strings.starts_with(headers.message_id, "<Spo")
104  )
105  // negate common helpdesk platforms
106  and not any(headers.domains, .root_domain in ("freshemail.io", "zendesk.com"))
107  // negate observed HR newsletters
108  and not (
109    any(headers.hops,
110        strings.icontains(.authentication_results.spf_details.designator,
111                            "constantcontact.com"
112        )
113    )
114    and strings.starts_with(sender.email.local_part, 'newsletters-hr')
115    and sender.email.domain.root_domain == "ccsend.com"
116  )
117  and (
118    not profile.by_sender().solicited
119    or (
120      profile.by_sender().any_messages_malicious_or_spam
121      and not profile.by_sender().any_false_positives
122    )
123  )
124  and not profile.by_sender().any_false_positives  
125attack_types:
126  - "Credential Phishing"
127tactics_and_techniques:
128  - "Impersonation: Employee"
129  - "Social engineering"
130detection_methods:
131  - "Content analysis"
132  - "Header analysis"
133  - "Natural Language Understanding"
134  - "Sender analysis"
135id: "3cd04f33-5519-5cc1-8740-e8ce6cddf8a0"
to-top