Fake email quarantine notification
Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages.
Sublime rule (View on GitHub)
1name: "Fake email quarantine notification"
2description: "Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(body.links) < 10
8 and (
9 any(ml.nlu_classifier(body.current_thread.text).intents,
10 .name == "cred_theft" and .confidence == "high"
11 )
12 or (
13 length(body.current_thread.text) < 250
14 and any(recipients.to,
15 strings.icontains(body.current_thread.text, .email.domain.sld)
16 or strings.icontains(body.current_thread.text, .email.local_part)
17 )
18 )
19 )
20 and not (
21 length(ml.nlu_classifier(body.current_thread.text).topics) == 1
22 and any(ml.nlu_classifier(body.current_thread.text).topics,
23 .name == "Financial Communications" and .confidence != "low"
24 )
25 )
26 and 3 of (
27 strings.ilike(body.current_thread.text, "*review*"),
28 strings.ilike(body.current_thread.text, "*incoming*"),
29 strings.ilike(body.current_thread.text, "*release*"),
30 strings.ilike(body.current_thread.text, "*quarantine*"),
31 strings.ilike(body.current_thread.text, "*messages*"),
32 strings.ilike(body.current_thread.text, "*server error*"),
33 strings.ilike(body.current_thread.text, "*blocked*"),
34 strings.ilike(body.current_thread.text, "*prevented*"),
35 strings.ilike(body.current_thread.text, "*validation*"),
36 strings.ilike(body.current_thread.text, "*notification*"),
37 strings.ilike(body.current_thread.text, "*kindly*"),
38 strings.ilike(body.current_thread.text, "*on hold*"),
39 strings.ilike(body.current_thread.text, "*held*"),
40 strings.ilike(body.current_thread.text, "*pending*"),
41 strings.ilike(body.current_thread.text, "*stuck*"),
42 strings.like(body.current_thread.text, "* MX *")
43 )
44 and (
45 any(body.links,
46 regex.icontains(.display_text, "view", "release", "message", "delete", "recover", "SSO", "sign in")
47 )
48 or (
49 length(body.links) < 3
50 and any(body.links,
51 any(recipients.to,
52 .email.domain.root_domain == ..display_url.domain.root_domain
53 and ..mismatched
54 )
55 )
56 )
57 )
58 and not any(body.links,
59 regex.icontains(.display_text,
60 "view document",
61 "review (&|and) sign document"
62 )
63 )
64 and sender.email.domain.root_domain not in (
65 "bing.com",
66 "microsoft.com",
67 "microsoftonline.com",
68 "microsoftsupport.com",
69 "microsoft365.com",
70 "office.com",
71 "office365.com",
72 "onedrive.com",
73 "sharepointonline.com",
74 "yammer.com",
75 "ppops.net"
76 )
77
78 // negate org domains unless they fail DMARC authentication
79 and (
80 (
81 sender.email.domain.root_domain in $org_domains
82 and (
83 not headers.auth_summary.dmarc.pass
84 // MS quarantine digest emails from an org domain are router "internally" to MS, therefore, there is no authentication information
85 or not (
86 headers.auth_summary.dmarc.pass is null
87 and all(headers.domains,
88 .root_domain in ("outlook.com", "office365.com")
89 )
90 // typical emails from freemail Outlook accounts are from prod.outlook.com
91 and strings.ends_with(headers.message_id, "protection.outlook.com>")
92 )
93 )
94 )
95 or sender.email.domain.root_domain not in $org_domains
96 )
97
98 // negate highly trusted sender domains unless they fail DMARC authentication
99 and (
100 (
101 sender.email.domain.root_domain in $high_trust_sender_root_domains
102 and not headers.auth_summary.dmarc.pass
103 )
104 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
105 )
106 and not profile.by_sender().solicited
107 and not profile.by_sender().any_messages_benign
108
109attack_types:
110 - "Credential Phishing"
111tactics_and_techniques:
112 - "Social engineering"
113detection_methods:
114 - "Content analysis"
115 - "Natural Language Understanding"
116 - "Sender analysis"
117id: "73f26a3d-b7a5-5b85-83e6-45f1b40f78fb"