Fake email quarantine notification
Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages.
Sublime rule (View on GitHub)
1name: "Fake email quarantine notification"
2description: "Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7
8 and length(body.links) < 10
9 and any(ml.nlu_classifier(body.current_thread.text).intents,
10 .name == "cred_theft" and .confidence == "high"
11 )
12 and (
13 3 of (
14 strings.ilike(body.current_thread.text, "*review*"),
15 strings.ilike(body.current_thread.text, "*release*"),
16 strings.ilike(body.current_thread.text, "*quaratine*"),
17 strings.ilike(body.current_thread.text, "*messages*"),
18 strings.ilike(body.current_thread.text, "*blocked*"),
19 strings.ilike(body.current_thread.text, "*notification*"),
20 strings.ilike(body.current_thread.text, "*kindly*"),
21 strings.ilike(body.current_thread.text, "*on hold*")
22 )
23 )
24 and any(body.links,
25 regex.icontains(.display_text, "view", "release", "messages", "delete")
26 )
27 and not any(body.links,
28 regex.icontains(.display_text, "view document")
29 )
30 and sender.email.domain.root_domain not in (
31 "bing.com",
32 "microsoft.com",
33 "microsoftonline.com",
34 "microsoftsupport.com",
35 "microsoft365.com",
36 "office.com",
37 "onedrive.com",
38 "sharepointonline.com",
39 "yammer.com",
40 )
41
42 // negate org domains unless they fail DMARC authentication
43 and (
44 (
45 sender.email.domain.root_domain in $org_domains
46 and not headers.auth_summary.dmarc.pass
47 )
48 or sender.email.domain.root_domain not in $org_domains
49 )
50
51 // negate highly trusted sender domains unless they fail DMARC authentication
52 and (
53 (
54 sender.email.domain.root_domain in $high_trust_sender_root_domains
55 and not headers.auth_summary.dmarc.pass
56 )
57 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
58 )
59 and not profile.by_sender().solicited
60 and not profile.by_sender().any_false_positives
61
62attack_types:
63 - "Credential Phishing"
64tactics_and_techniques:
65 - "Social engineering"
66detection_methods:
67 - "Content analysis"
68 - "Natural Language Understanding"
69 - "Sender analysis"
70id: "73f26a3d-b7a5-5b85-83e6-45f1b40f78fb"