Fake email quarantine notification

calendar Jan 10, 2025  ยท
Share on: linkedin copy

Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages.

Sublime rule (View on GitHub)

 1name: "Fake email quarantine notification"
 2description: "Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7
 8  and length(body.links) < 10
 9  and (
10    any(ml.nlu_classifier(body.current_thread.text).intents,
11        .name == "cred_theft" and .confidence == "high"
12    )
13    or (
14      length(body.current_thread.text) < 250
15      and any(recipients.to,
16              strings.icontains(body.current_thread.text, .email.domain.sld)
17              or strings.icontains(body.current_thread.text, .email.local_part)
18      )
19    )
20  )
21  and (
22    3 of (
23      strings.ilike(body.current_thread.text, "*review*"),
24      strings.ilike(body.current_thread.text, "*release*"),
25      strings.ilike(body.current_thread.text, "*quaratine*"),
26      strings.ilike(body.current_thread.text, "*messages*"),
27      strings.ilike(body.current_thread.text, "*blocked*"),
28      strings.ilike(body.current_thread.text, "*notification*"),
29      strings.ilike(body.current_thread.text, "*kindly*"),
30      strings.ilike(body.current_thread.text, "*on hold*"),
31      strings.ilike(body.current_thread.text, "*pending*")
32    )
33  )
34  and (
35    any(body.links,
36        regex.icontains(.display_text, "view", "release", "messages", "delete")
37    )
38    or (
39      length(body.links) < 3
40      and any(body.links,
41              any(recipients.to,
42                  .email.domain.root_domain == ..display_url.domain.root_domain
43                  and ..mismatched
44              )
45      )
46    )
47  )
48  and not any(body.links,
49              regex.icontains(.display_text,
50                              "view document",
51                              "review (&|and) sign document"
52              )
53  )
54  and sender.email.domain.root_domain not in (
55    "bing.com",
56    "microsoft.com",
57    "microsoftonline.com",
58    "microsoftsupport.com",
59    "microsoft365.com",
60    "office.com",
61    "office365.com",
62    "onedrive.com",
63    "sharepointonline.com",
64    "yammer.com",
65    "ppops.net"
66  )
67  
68  // negate org domains unless they fail DMARC authentication
69  and (
70    (
71      sender.email.domain.root_domain in $org_domains
72      and not headers.auth_summary.dmarc.pass
73    )
74    or sender.email.domain.root_domain not in $org_domains
75  )
76  
77  // negate highly trusted sender domains unless they fail DMARC authentication
78  and (
79    (
80      sender.email.domain.root_domain in $high_trust_sender_root_domains
81      and not headers.auth_summary.dmarc.pass
82    )
83    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
84  )
85  and not profile.by_sender().solicited
86  and not profile.by_sender().any_false_positives
87    
88attack_types:
89  - "Credential Phishing"
90tactics_and_techniques:
91  - "Social engineering"
92detection_methods:
93  - "Content analysis"
94  - "Natural Language Understanding"
95  - "Sender analysis"
96id: "73f26a3d-b7a5-5b85-83e6-45f1b40f78fb"
to-top