Fake email quarantine notification
Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages.
Sublime rule (View on GitHub)
1name: "Fake email quarantine notification"
2description: "Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(body.links) < 10
8 and (
9 any(ml.nlu_classifier(body.current_thread.text).intents,
10 .name == "cred_theft" and .confidence == "high"
11 )
12 or (
13 length(body.current_thread.text) < 250
14 and any(recipients.to,
15 strings.icontains(body.current_thread.text, .email.domain.sld)
16 or strings.icontains(body.current_thread.text, .email.local_part)
17 )
18 )
19 )
20 and 3 of (
21 strings.ilike(body.current_thread.text, "*review*"),
22 strings.ilike(body.current_thread.text, "*incoming*"),
23 strings.ilike(body.current_thread.text, "*release*"),
24 strings.ilike(body.current_thread.text, "*quarantine*"),
25 strings.ilike(body.current_thread.text, "*messages*"),
26 strings.ilike(body.current_thread.text, "*server error*"),
27 strings.ilike(body.current_thread.text, "*blocked*"),
28 strings.ilike(body.current_thread.text, "*prevented*"),
29 strings.ilike(body.current_thread.text, "*validation*"),
30 strings.ilike(body.current_thread.text, "*notification*"),
31 strings.ilike(body.current_thread.text, "*kindly*"),
32 strings.ilike(body.current_thread.text, "*on hold*"),
33 strings.ilike(body.current_thread.text, "*held*"),
34 strings.ilike(body.current_thread.text, "*pending*"),
35 strings.ilike(body.current_thread.text, "*stuck*"),
36 strings.like(body.current_thread.text, "* MX *")
37 )
38 and (
39 any(body.links,
40 regex.icontains(.display_text, "view", "release", "messages", "delete", "recover", "SSO", "sign in")
41 )
42 or (
43 length(body.links) < 3
44 and any(body.links,
45 any(recipients.to,
46 .email.domain.root_domain == ..display_url.domain.root_domain
47 and ..mismatched
48 )
49 )
50 )
51 )
52 and not any(body.links,
53 regex.icontains(.display_text,
54 "view document",
55 "review (&|and) sign document"
56 )
57 )
58 and sender.email.domain.root_domain not in (
59 "bing.com",
60 "microsoft.com",
61 "microsoftonline.com",
62 "microsoftsupport.com",
63 "microsoft365.com",
64 "office.com",
65 "office365.com",
66 "onedrive.com",
67 "sharepointonline.com",
68 "yammer.com",
69 "ppops.net"
70 )
71
72 // negate org domains unless they fail DMARC authentication
73 and (
74 (
75 sender.email.domain.root_domain in $org_domains
76 and (
77 not headers.auth_summary.dmarc.pass
78 // MS quarantine digest emails from an org domain are router "internally" to MS, therefore, there is no authentication information
79 or not (
80 headers.auth_summary.dmarc.pass is null
81 and all(headers.domains,
82 .root_domain in ("outlook.com", "office365.com")
83 )
84 // typical emails from freemail Outlook accounts are from prod.outlook.com
85 and strings.ends_with(headers.message_id, "protection.outlook.com>")
86 )
87 )
88 )
89 or sender.email.domain.root_domain not in $org_domains
90 )
91
92 // negate highly trusted sender domains unless they fail DMARC authentication
93 and (
94 (
95 sender.email.domain.root_domain in $high_trust_sender_root_domains
96 and not headers.auth_summary.dmarc.pass
97 )
98 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
99 )
100 and not profile.by_sender().solicited
101 and not profile.by_sender().any_messages_benign
102
103attack_types:
104 - "Credential Phishing"
105tactics_and_techniques:
106 - "Social engineering"
107detection_methods:
108 - "Content analysis"
109 - "Natural Language Understanding"
110 - "Sender analysis"
111id: "73f26a3d-b7a5-5b85-83e6-45f1b40f78fb"