Credential phishing: Generic document sharing
Detects credential phishing attempts using generic document sharing language where the sender claims to have sent a document for review, but the link doesn't point to legitimate file sharing services.
Sublime rule (View on GitHub)
1name: "Credential phishing: Generic document sharing"
2description: |
3 Detects credential phishing attempts using generic document sharing language
4 where the sender claims to have sent a document for review, but the link
5 doesn't point to legitimate file sharing services.
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 // exclude if it's a reply to an existing conversation
11 and not length(body.previous_threads) > 0
12 and (
13 // subject contains document sharing language
14 regex.icontains(subject.subject,
15 '\b(has\s+sent\s+you|sent\s+you|shared\s+with\s+you|document\s+to\s+review|file\s+to\s+review|proposal\s+document|new\s+document)\b'
16 )
17 or strings.icontains(subject.subject, 'document to review')
18 or strings.icontains(subject.subject, 'file to review')
19 or strings.icontains(subject.subject, 'sent you')
20 )
21 and (
22 // body contains document sharing language
23 regex.icontains(body.current_thread.text,
24 '\b(document\s+I\s+sent|proposal\s+document|see\s+the\s+below|document.*review|file.*review|let\s+me\s+know\s+what\s+you\s+think)\b'
25 )
26 or strings.icontains(body.current_thread.text, 'document I sent')
27 or strings.icontains(body.current_thread.text, 'proposal document')
28 or strings.icontains(body.current_thread.text, 'let me know what you think')
29 )
30 // has links that look like file attachments but aren't
31 and any(body.links,
32 // display text looks like a file
33 (
34 regex.icontains(.display_text, '\.(pdf|doc|docx|goto|xls|xlsx|ppt|pptx)')
35 or regex.icontains(.display_text, '\d+kb|\d+mb')
36 or strings.icontains(.display_text, 'document')
37 or strings.icontains(.display_text, 'proposal')
38 or strings.icontains(.display_text, 'review')
39 )
40 // but the URL doesn't point to legitimate file sharing
41 and .href_url.domain.root_domain not in (
42 "sharepoint.com",
43 "google.com",
44 "drive.google.com",
45 "dropbox.com",
46 "box.com",
47 "onedrive.com",
48 "1drv.ms",
49 "aka.ms",
50 "microsoft.com",
51 "office.com",
52 "docusign.com",
53 "adobesign.com",
54 "hellosign.com",
55 "signable.app"
56 )
57 // and points to suspicious domains
58 and (
59 .href_url.domain.tld in $suspicious_tlds
60 or .href_url.domain.root_domain in $url_shorteners
61 or .href_url.domain.domain in $url_shorteners
62 or .href_url.domain.root_domain in $free_file_hosts
63 or .href_url.domain.domain in $free_file_hosts
64 // or it's a forms/survey platform being abused in self_service_creation_platform_domains
65 or .href_url.domain.root_domain in $self_service_creation_platform_domains
66 or .href_url.domain.domain in $self_service_creation_platform_domains
67 )
68 )
69 // negate highly trusted sender domains unless they fail DMARC authentication
70 and (
71 (
72 sender.email.domain.root_domain in $high_trust_sender_root_domains
73 and not headers.auth_summary.dmarc.pass
74 )
75 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
76 )
77 and (
78 profile.by_sender().solicited == false
79 or profile.by_sender_email().prevalence == "new"
80 or profile.by_sender_email().days_since.last_contact > 30
81 or (
82 profile.by_sender().any_messages_malicious_or_spam
83 and not profile.by_sender().any_messages_benign
84 )
85 // or it's a spoof of the org_domain
86 or (
87 sender.email.domain.domain in $org_domains
88 and not (
89 headers.auth_summary.spf.pass
90 or coalesce(headers.auth_summary.dmarc.pass, false)
91 )
92 )
93 )
94 and not profile.by_sender().any_messages_benign
95
96attack_types:
97 - "Credential Phishing"
98 - "BEC/Fraud"
99tactics_and_techniques:
100 - "Social engineering"
101 - "Evasion"
102 - "Impersonation: Employee"
103detection_methods:
104 - "Content analysis"
105 - "Natural Language Understanding"
106 - "URL analysis"
107 - "Sender analysis"
108id: "9f0e1d2c-3b4a-5c6d-7e8f-9a0b1c2d3e4f"