Fake email quarantine notification
Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages.
Sublime rule (View on GitHub)
1name: "Fake email quarantine notification"
2description: "Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(body.links) < 10
8 and (
9 any(ml.nlu_classifier(body.current_thread.text).intents,
10 .name == "cred_theft" and .confidence == "high"
11 )
12 or (
13 length(body.current_thread.text) < 250
14 and any(recipients.to,
15 strings.icontains(body.current_thread.text, .email.domain.sld)
16 or strings.icontains(body.current_thread.text, .email.local_part)
17 )
18 )
19 )
20 and 3 of (
21 strings.ilike(body.current_thread.text, "*review*"),
22 strings.ilike(body.current_thread.text, "*incoming*"),
23 strings.ilike(body.current_thread.text, "*release*"),
24 strings.ilike(body.current_thread.text, "*quarantine*"),
25 strings.ilike(body.current_thread.text, "*messages*"),
26 strings.ilike(body.current_thread.text, "*server error*"),
27 strings.ilike(body.current_thread.text, "*blocked*"),
28 strings.ilike(body.current_thread.text, "*prevented*"),
29 strings.ilike(body.current_thread.text, "*notification*"),
30 strings.ilike(body.current_thread.text, "*kindly*"),
31 strings.ilike(body.current_thread.text, "*on hold*"),
32 strings.ilike(body.current_thread.text, "*held*"),
33 strings.ilike(body.current_thread.text, "*pending*")
34 )
35 and (
36 any(body.links,
37 regex.icontains(.display_text, "view", "release", "messages", "delete", "recover")
38 )
39 or (
40 length(body.links) < 3
41 and any(body.links,
42 any(recipients.to,
43 .email.domain.root_domain == ..display_url.domain.root_domain
44 and ..mismatched
45 )
46 )
47 )
48 )
49 and not any(body.links,
50 regex.icontains(.display_text,
51 "view document",
52 "review (&|and) sign document"
53 )
54 )
55 and sender.email.domain.root_domain not in (
56 "bing.com",
57 "microsoft.com",
58 "microsoftonline.com",
59 "microsoftsupport.com",
60 "microsoft365.com",
61 "office.com",
62 "office365.com",
63 "onedrive.com",
64 "sharepointonline.com",
65 "yammer.com",
66 "ppops.net"
67 )
68
69 // negate org domains unless they fail DMARC authentication
70 and (
71 (
72 sender.email.domain.root_domain in $org_domains
73 and (
74 not headers.auth_summary.dmarc.pass
75 // MS quarantine digest emails from an org domain are router "internally" to MS, therefore, there is no authentication information
76 or not (
77 headers.auth_summary.dmarc.pass is null
78 and all(headers.domains,
79 .root_domain in ("outlook.com", "office365.com")
80 )
81 // typical emails from freemail Outlook accounts are from prod.outlook.com
82 and strings.ends_with(headers.message_id, "protection.outlook.com>")
83 )
84 )
85 )
86 or sender.email.domain.root_domain not in $org_domains
87 )
88
89 // negate highly trusted sender domains unless they fail DMARC authentication
90 and (
91 (
92 sender.email.domain.root_domain in $high_trust_sender_root_domains
93 and not headers.auth_summary.dmarc.pass
94 )
95 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
96 )
97 and not profile.by_sender().solicited
98 and not profile.by_sender().any_false_positives
99
100attack_types:
101 - "Credential Phishing"
102tactics_and_techniques:
103 - "Social engineering"
104detection_methods:
105 - "Content analysis"
106 - "Natural Language Understanding"
107 - "Sender analysis"
108id: "73f26a3d-b7a5-5b85-83e6-45f1b40f78fb"