Fake email quarantine notification
Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages.
Sublime rule (View on GitHub)
1name: "Fake email quarantine notification"
2description: "Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(body.links) < 10
8 and (
9 any(ml.nlu_classifier(body.current_thread.text).intents,
10 .name == "cred_theft" and .confidence == "high"
11 )
12 or (
13 length(body.current_thread.text) < 250
14 and any(recipients.to,
15 strings.icontains(body.current_thread.text, .email.domain.sld)
16 or strings.icontains(body.current_thread.text, .email.local_part)
17 )
18 )
19 )
20 and not (
21 length(ml.nlu_classifier(body.current_thread.text).topics) == 1
22 and any(ml.nlu_classifier(body.current_thread.text).topics,
23 .name == "Financial Communications" and .confidence != "low"
24 )
25 )
26 and 3 of (
27 strings.ilike(body.current_thread.text, "*review*"),
28 strings.ilike(body.current_thread.text, "*incoming*"),
29 strings.ilike(body.current_thread.text, "*release*"),
30 strings.ilike(body.current_thread.text, "*quarantine*"),
31 strings.ilike(body.current_thread.text, "*messages*"),
32 strings.ilike(body.current_thread.text, "*server error*"),
33 strings.ilike(body.current_thread.text, "*blocked*"),
34 strings.ilike(body.current_thread.text, "*prevented*"),
35 strings.ilike(body.current_thread.text, "*validation*"),
36 strings.ilike(body.current_thread.text, "*notification*"),
37 strings.ilike(body.current_thread.text, "*kindly*"),
38 strings.ilike(body.current_thread.text, "*on hold*"),
39 strings.ilike(body.current_thread.text, "*held*"),
40 strings.ilike(body.current_thread.text, "*pending*"),
41 strings.ilike(body.current_thread.text, "*stuck*"),
42 strings.like(body.current_thread.text, "* MX *")
43 )
44 and (
45 any(body.links,
46 regex.icontains(.display_text,
47 "view",
48 "release",
49 "message",
50 "delete",
51 "recover",
52 "SSO",
53 "sign in"
54 )
55 )
56 or (
57 length(body.links) < 3
58 and any(body.links,
59 any(recipients.to,
60 .email.domain.root_domain == ..display_url.domain.root_domain
61 and ..mismatched
62 )
63 )
64 )
65 )
66 and not any(body.links,
67 regex.icontains(.display_text,
68 "view document",
69 "review (&|and) sign document"
70 )
71 )
72 and sender.email.domain.root_domain not in (
73 "bing.com",
74 "microsoft.com",
75 "microsoftonline.com",
76 "microsoftsupport.com",
77 "microsoft365.com",
78 "office.com",
79 "office365.com",
80 "onedrive.com",
81 "sharepointonline.com",
82 "yammer.com",
83 "ppops.net"
84 )
85
86 // negate org domains unless they fail DMARC authentication
87 and (
88 (
89 sender.email.domain.root_domain in $org_domains
90 and (
91 not headers.auth_summary.dmarc.pass
92 // MS quarantine digest emails from an org domain are router "internally" to MS, therefore, there is no authentication information
93 or not (
94 headers.auth_summary.dmarc.pass is null
95 and all(headers.domains,
96 .root_domain in ("outlook.com", "office365.com")
97 )
98 // typical emails from freemail Outlook accounts are from prod.outlook.com
99 and strings.ends_with(headers.message_id, "protection.outlook.com>")
100 )
101 )
102 )
103 or sender.email.domain.root_domain not in $org_domains
104 )
105
106 // negate highly trusted sender domains unless they fail DMARC authentication
107 and (
108 (
109 sender.email.domain.root_domain in $high_trust_sender_root_domains
110 and not headers.auth_summary.dmarc.pass
111 )
112 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
113 )
114 and not profile.by_sender().solicited
115 and not profile.by_sender().any_messages_benign
116attack_types:
117 - "Credential Phishing"
118tactics_and_techniques:
119 - "Social engineering"
120detection_methods:
121 - "Content analysis"
122 - "Natural Language Understanding"
123 - "Sender analysis"
124id: "73f26a3d-b7a5-5b85-83e6-45f1b40f78fb"