Fake email quarantine notification

calendar Jun 6, 2024  ยท
Share on: linkedin copy

Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages.

Sublime rule (View on GitHub)

 1name: "Fake email quarantine notification"
 2description: "Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7
 8  and length(body.links) < 10
 9  and any(ml.nlu_classifier(body.current_thread.text).intents,
10          .name == "cred_theft" and .confidence == "high"
11  )
12  and (
13    3 of (
14      strings.ilike(body.current_thread.text, "*review*"),
15      strings.ilike(body.current_thread.text, "*release*"),
16      strings.ilike(body.current_thread.text, "*quaratine*"),
17      strings.ilike(body.current_thread.text, "*messages*"),
18      strings.ilike(body.current_thread.text, "*blocked*"),
19      strings.ilike(body.current_thread.text, "*notification*"),
20      strings.ilike(body.current_thread.text, "*kindly*"),
21      strings.ilike(body.current_thread.text, "*on hold*")
22    )
23  )
24  and any(body.links,
25          regex.icontains(.display_text, "view", "release", "messages", "delete")
26  )
27  and not any(body.links,
28        regex.icontains(.display_text, "view document")
29  )
30  and sender.email.domain.root_domain not in (
31    "bing.com",
32    "microsoft.com",
33    "microsoftonline.com",
34    "microsoftsupport.com",
35    "microsoft365.com",
36    "office.com",
37    "onedrive.com",
38    "sharepointonline.com",
39    "yammer.com",
40  )
41  
42  // negate org domains unless they fail DMARC authentication
43  and (
44    (
45      sender.email.domain.root_domain in $org_domains
46      and not headers.auth_summary.dmarc.pass
47    )
48    or sender.email.domain.root_domain not in $org_domains
49  )
50  
51  // negate highly trusted sender domains unless they fail DMARC authentication
52  and (
53    (
54      sender.email.domain.root_domain in $high_trust_sender_root_domains
55      and not headers.auth_summary.dmarc.pass
56    )
57    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
58  )
59  and not profile.by_sender().solicited
60  and not profile.by_sender().any_false_positives
61    
62attack_types:
63  - "Credential Phishing"
64tactics_and_techniques:
65  - "Social engineering"
66detection_methods:
67  - "Content analysis"
68  - "Natural Language Understanding"
69  - "Sender analysis"
70id: "73f26a3d-b7a5-5b85-83e6-45f1b40f78fb"
to-top