Credential phishing: Generic document sharing

Detects credential phishing attempts using generic document sharing language where the sender claims to have sent a document for review, but the link doesn't point to legitimate file sharing services.

Sublime rule (View on GitHub)

  1name: "Credential phishing: Generic document sharing"
  2description: |
  3  Detects credential phishing attempts using generic document sharing language
  4  where the sender claims to have sent a document for review, but the link
  5  doesn't point to legitimate file sharing services.  
  6type: "rule"
  7severity: "medium"
  8source: |
  9  type.inbound
 10  // exclude if it's a reply to an existing conversation
 11  and not length(body.previous_threads) > 0
 12  and (
 13    // subject contains document sharing language
 14    regex.icontains(subject.subject,
 15                    '\b(has\s+sent\s+you|sent\s+you|shared\s+with\s+you|document\s+to\s+review|file\s+to\s+review|proposal\s+document|new\s+document)\b'
 16    )
 17    or strings.icontains(subject.subject, 'document to review')
 18    or strings.icontains(subject.subject, 'file to review')
 19    or strings.icontains(subject.subject, 'sent you')
 20  )
 21  and (
 22    // body contains document sharing language
 23    regex.icontains(body.current_thread.text,
 24                    '\b(document\s+I\s+sent|proposal\s+document|see\s+the\s+below|document.*review|file.*review|let\s+me\s+know\s+what\s+you\s+think)\b'
 25    )
 26    or strings.icontains(body.current_thread.text, 'document I sent')
 27    or strings.icontains(body.current_thread.text, 'proposal document')
 28    or strings.icontains(body.current_thread.text, 'let me know what you think')
 29  )
 30  // has links that look like file attachments but aren't
 31  and any(body.links,
 32          // display text looks like a file
 33          (
 34            regex.icontains(.display_text, '\.(pdf|doc|docx|goto|xls|xlsx|ppt|pptx)')
 35            or regex.icontains(.display_text, '\d+kb|\d+mb')
 36            or strings.icontains(.display_text, 'document')
 37            or strings.icontains(.display_text, 'proposal')
 38            or strings.icontains(.display_text, 'review')
 39          )
 40          // but the URL doesn't point to legitimate file sharing
 41          and .href_url.domain.root_domain not in (
 42            "sharepoint.com",
 43            "google.com",
 44            "drive.google.com",
 45            "dropbox.com",
 46            "box.com",
 47            "onedrive.com",
 48            "1drv.ms",
 49            "aka.ms",
 50            "microsoft.com",
 51            "office.com",
 52            "docusign.com",
 53            "adobesign.com",
 54            "hellosign.com",
 55            "signable.app"
 56          )
 57          // and points to suspicious domains
 58          and (
 59            .href_url.domain.tld in $suspicious_tlds
 60            or .href_url.domain.root_domain in $url_shorteners
 61            or .href_url.domain.domain in $url_shorteners
 62            or .href_url.domain.root_domain in $free_file_hosts
 63            or .href_url.domain.domain in $free_file_hosts
 64            // or it's a forms/survey platform being abused in self_service_creation_platform_domains
 65            or .href_url.domain.root_domain in $self_service_creation_platform_domains
 66            or .href_url.domain.domain in $self_service_creation_platform_domains
 67          )
 68  )
 69  // negate highly trusted sender domains unless they fail DMARC authentication
 70  and (
 71    (
 72      sender.email.domain.root_domain in $high_trust_sender_root_domains
 73      and not headers.auth_summary.dmarc.pass
 74    )
 75    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 76  )
 77  and (
 78    profile.by_sender().solicited == false
 79    or profile.by_sender_email().prevalence == "new"
 80    or profile.by_sender_email().days_since.last_contact > 30
 81    or (
 82      profile.by_sender().any_messages_malicious_or_spam
 83      and not profile.by_sender().any_messages_benign
 84    )
 85    // or it's a spoof of the org_domain
 86    or (
 87      sender.email.domain.domain in $org_domains
 88      and not (
 89        headers.auth_summary.spf.pass
 90        or coalesce(headers.auth_summary.dmarc.pass, false)
 91      )
 92    )
 93  )
 94  and not profile.by_sender().any_messages_benign
 95    
 96attack_types:
 97  - "Credential Phishing"
 98  - "BEC/Fraud"
 99tactics_and_techniques:
100  - "Social engineering"
101  - "Evasion"
102  - "Impersonation: Employee"
103detection_methods:
104  - "Content analysis"
105  - "Natural Language Understanding"
106  - "URL analysis"
107  - "Sender analysis"
108id: "9f0e1d2c-3b4a-5c6d-7e8f-9a0b1c2d3e4f"
to-top