Credential phishing: Email delivery failure impersonation

calendar Jun 6, 2025  ·
Share on: linkedin copy

Detects phishing emails impersonating email system notifications claiming delivery failures, rejected messages, or email system issues requiring user action to 'fix' or 'recover' email functionality. These attacks typically claim incoming emails couldn't be delivered and direct users to malicious portals to harvest credentials.

Sublime rule (View on GitHub)

  1name: "Credential phishing: Email delivery failure impersonation"
  2description: |
  3  Detects phishing emails impersonating email system notifications claiming delivery failures, 
  4  rejected messages, or email system issues requiring user action to 'fix' or 'recover' email functionality.
  5  These attacks typically claim incoming emails couldn't be delivered and direct users to malicious 
  6  portals to harvest credentials.  
  7type: "rule"
  8severity: "high"
  9source: |
 10  type.inbound
 11  and length(body.links) < 10
 12  and (
 13    any(ml.nlu_classifier(body.current_thread.text).intents,
 14        .name == "cred_theft" and .confidence == "high"
 15    )
 16    or (
 17      length(body.current_thread.text) < 250
 18      and any(recipients.to,
 19              strings.icontains(body.current_thread.text, .email.domain.sld)
 20              or strings.icontains(body.current_thread.text, .email.local_part)
 21      )
 22    )
 23  )
 24  and (
 25    regex.icontains(subject.subject, '(e)?mail(s)?')
 26    or (
 27      length(body.current_thread.text) < 700
 28      and strings.ilike(body.current_thread.text, '*mail*')
 29    )
 30  )
 31  and 3 of (
 32    strings.ilike(body.current_thread.text, "*incoming messages*"),
 33    strings.ilike(body.current_thread.text, "*server error*"),
 34    strings.ilike(body.current_thread.text, "*blocked*"),
 35    strings.ilike(body.current_thread.text, "*prevented*"),
 36    strings.ilike(body.current_thread.text, "*notification*"),
 37    strings.ilike(body.current_thread.text, "*fix email issues*"),
 38    strings.ilike(body.current_thread.text, "*rejected*"),
 39    strings.ilike(body.current_thread.text, "*recover and prevent*"),
 40    strings.ilike(body.current_thread.text, "*failure*"),
 41    strings.ilike(body.current_thread.text, "*rejection*"),
 42    strings.ilike(body.current_thread.text, "*failed*")
 43  )
 44  and (
 45    any(body.links,
 46        regex.icontains(.display_text,
 47                        "view",
 48                        "messages",
 49                        "recover",
 50                        "fix",
 51                        "portal",
 52                        "connect"
 53        )
 54        and not .display_text == "View Report"
 55        and .href_url.domain.root_domain in ("gmass.co")
 56    )
 57    or (
 58      length(body.links) < 3
 59      and any(body.links,
 60              any(recipients.to,
 61                  .email.domain.root_domain == ..display_url.domain.root_domain
 62                  and ..mismatched
 63              )
 64      )
 65    )
 66    or (all(recipients.to, .email.local_part == sender.display_name))
 67    or any(body.links,
 68           any(.href_url.rewrite.encoders, . == "proofpoint")
 69           and .href_url.domain.root_domain not in $tranco_50k
 70           and .href_url.domain.root_domain not in $org_domains
 71    )
 72  )
 73  and not any(body.links,
 74              regex.icontains(.display_text,
 75                              "view document",
 76                              "review (&|and) sign document"
 77              )
 78  )
 79  and sender.email.domain.root_domain not in (
 80    "bing.com",
 81    "microsoft.com",
 82    "microsoftonline.com",
 83    "microsoftsupport.com",
 84    "microsoft365.com",
 85    "office.com",
 86    "office365.com",
 87    "onedrive.com",
 88    "sharepointonline.com",
 89    "yammer.com",
 90    "ppops.net"
 91  )
 92  
 93  // negate org domains unless they fail DMARC authentication
 94  and (
 95    (
 96      sender.email.domain.root_domain in $org_domains
 97      and (
 98        not headers.auth_summary.dmarc.pass
 99        // MS  emails from an org domain are router "internally" to MS, therefore, there is no authentication information
100        or not (
101          headers.auth_summary.dmarc.pass is null
102          and all(headers.domains,
103                  .root_domain in ("outlook.com", "office365.com")
104          )
105          // typical emails from freemail Outlook accounts are from prod.outlook.com
106          and strings.ends_with(headers.message_id, "protection.outlook.com>")
107        )
108      )
109    )
110    or sender.email.domain.root_domain not in $org_domains
111  )
112  
113  // negate highly trusted sender domains unless they fail DMARC authentication
114  and (
115    (
116      sender.email.domain.root_domain in $high_trust_sender_root_domains
117      and not headers.auth_summary.dmarc.pass
118    )
119    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
120  )
121  and not profile.by_sender().solicited
122  and not profile.by_sender().any_false_positives
123    
124attack_types:
125  - "Credential Phishing"
126tactics_and_techniques:
127  - "Impersonation: Brand"
128  - "Social engineering"
129detection_methods:
130  - "Content analysis"
131  - "Natural Language Understanding"
132  - "Sender analysis"
133id: "ee318b89-0d4e-5c94-80ad-08991d3958b2"
to-top