Credential phishing: Financial lure via ActiveCampaign infrastructure

 1name: "Credential phishing: Financial lure via ActiveCampaign infrastructure"
 2description: "Detects inbound phishing messages sent via ActiveCampaign using identifiable infrastructure fingerprints and hidden boilerplate text. Covers a wide range of lure themes including credit cards, loans, deposits, account updates, and vague document or verification prompts. Requires NLU Financial Communications topic classification."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and strings.contains(headers.mailer, "ActiveCampaign")
 8  and (
 9    strings.ilike(body.current_thread.text,
10                  "*Piratini*",
11                  "*45.405.898/0001-16*",
12                  "*Cancelar inscri*",
13                  "*Matem?tica Genial*"
14    )
15    or strings.ilike(body.html.raw,
16                     "*belonging to Spun*",
17                     "*affiliated with Spun*"
18    )
19  )
20  and (
21    length(html.xpath(body.html,
22                      '//*[contains(@style, "background") and contains(@style, "padding")] | //a[contains(@class, "es-button")]'
23           ).nodes
24    ) > 0
25    or length(html.xpath(body.html, '//a/img').nodes) > 0
26  )
27  and ml.nlu_classifier(body.current_thread.text).language == "english"
28  and not any(ml.nlu_classifier(body.current_thread.text).topics,
29              .name in ("Health and Wellness", "Entertainment and Sports")
30              and .confidence == "high"
31  )
32  and not (
33    sender.email.domain.root_domain in $high_trust_sender_root_domains
34    and coalesce(headers.auth_summary.dmarc.pass, false)
35  )  
36attack_types:
37  - "Credential Phishing"
38tactics_and_techniques:
39  - "Social engineering"
40detection_methods:
41  - "Content analysis"
42  - "Header analysis"
43  - "Natural Language Understanding"
44  - "Sender analysis"
45id: "8b18a6eb-fc61-55d0-be68-c397bddfa3bd"