Fake email quarantine notification

Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages.

Sublime rule (View on GitHub)

  1name: "Fake email quarantine notification"
  2description: "Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and length(body.links) < 10
  8  and (
  9    any(ml.nlu_classifier(body.current_thread.text).intents,
 10        .name == "cred_theft" and .confidence == "high"
 11    )
 12    or (
 13      length(body.current_thread.text) < 250
 14      and any(recipients.to,
 15              strings.icontains(body.current_thread.text, .email.domain.sld)
 16              or strings.icontains(body.current_thread.text, .email.local_part)
 17      )
 18    )
 19  )
 20  and 3 of (
 21    strings.ilike(body.current_thread.text, "*review*"),
 22    strings.ilike(body.current_thread.text, "*incoming*"),
 23    strings.ilike(body.current_thread.text, "*release*"),
 24    strings.ilike(body.current_thread.text, "*quarantine*"),
 25    strings.ilike(body.current_thread.text, "*messages*"),
 26    strings.ilike(body.current_thread.text, "*server error*"),
 27    strings.ilike(body.current_thread.text, "*blocked*"),
 28    strings.ilike(body.current_thread.text, "*prevented*"),
 29    strings.ilike(body.current_thread.text, "*validation*"),
 30    strings.ilike(body.current_thread.text, "*notification*"),
 31    strings.ilike(body.current_thread.text, "*kindly*"),
 32    strings.ilike(body.current_thread.text, "*on hold*"),
 33    strings.ilike(body.current_thread.text, "*held*"),
 34    strings.ilike(body.current_thread.text, "*pending*"),
 35    strings.ilike(body.current_thread.text, "*stuck*"),
 36    strings.like(body.current_thread.text, "* MX *")
 37  )
 38  and (
 39    any(body.links,
 40        regex.icontains(.display_text, "view", "release", "messages", "delete", "recover", "SSO", "sign in")
 41    )
 42    or (
 43      length(body.links) < 3
 44      and any(body.links,
 45              any(recipients.to,
 46                  .email.domain.root_domain == ..display_url.domain.root_domain
 47                  and ..mismatched
 48              )
 49      )
 50    )
 51  )
 52  and not any(body.links,
 53              regex.icontains(.display_text,
 54                              "view document",
 55                              "review (&|and) sign document"
 56              )
 57  )
 58  and sender.email.domain.root_domain not in (
 59    "bing.com",
 60    "microsoft.com",
 61    "microsoftonline.com",
 62    "microsoftsupport.com",
 63    "microsoft365.com",
 64    "office.com",
 65    "office365.com",
 66    "onedrive.com",
 67    "sharepointonline.com",
 68    "yammer.com",
 69    "ppops.net"
 70  )
 71  
 72  // negate org domains unless they fail DMARC authentication
 73  and (
 74    (
 75      sender.email.domain.root_domain in $org_domains
 76      and (
 77        not headers.auth_summary.dmarc.pass
 78        // MS quarantine digest emails from an org domain are router "internally" to MS, therefore, there is no authentication information
 79        or not (
 80          headers.auth_summary.dmarc.pass is null
 81          and all(headers.domains,
 82                  .root_domain in ("outlook.com", "office365.com")
 83          )
 84          // typical emails from freemail Outlook accounts are from prod.outlook.com
 85          and strings.ends_with(headers.message_id, "protection.outlook.com>")
 86        )
 87      )
 88    )
 89    or sender.email.domain.root_domain not in $org_domains
 90  )
 91  
 92  // negate highly trusted sender domains unless they fail DMARC authentication
 93  and (
 94    (
 95      sender.email.domain.root_domain in $high_trust_sender_root_domains
 96      and not headers.auth_summary.dmarc.pass
 97    )
 98    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 99  )
100  and not profile.by_sender().solicited
101  and not profile.by_sender().any_messages_benign  
102
103attack_types:
104  - "Credential Phishing"
105tactics_and_techniques:
106  - "Social engineering"
107detection_methods:
108  - "Content analysis"
109  - "Natural Language Understanding"
110  - "Sender analysis"
111id: "73f26a3d-b7a5-5b85-83e6-45f1b40f78fb"
to-top