Credential phishing: Generic document sharing
Detects credential phishing attempts using generic document sharing language where the sender claims to have sent a document for review, but the link doesn't point to legitimate file sharing services.
Sublime rule (View on GitHub)
1name: "Credential phishing: Generic document sharing"
2description: |
3 Detects credential phishing attempts using generic document sharing language
4 where the sender claims to have sent a document for review, but the link
5 doesn't point to legitimate file sharing services.
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 // exclude if it's a reply to an existing conversation
11 and not length(body.previous_threads) > 0
12 and (
13 // subject contains document sharing language
14 regex.icontains(subject.subject,
15 '\b(has\s+sent\s+you|sent\s+you|shared\s+with\s+you|document\s+to\s+review|file\s+to\s+review|proposal\s+document|new\s+document|document\s+.{0,20}assigned)\b'
16 )
17 or strings.icontains(subject.subject, 'document to review')
18 or strings.icontains(subject.subject, 'file to review')
19 or strings.icontains(subject.subject, 'sent you')
20 )
21 and (
22 // body contains document sharing language
23 regex.icontains(body.current_thread.text,
24 '\b(document\s+I\s+sent|proposal\s+document|see\s+the\s+below|document.*review|file.*review|let\s+me\s+know\s+what\s+you\s+think|shared.{0,50}document)\b'
25 )
26 or strings.icontains(body.current_thread.text, 'document I sent')
27 or strings.icontains(body.current_thread.text, 'proposal document')
28 or strings.icontains(body.current_thread.text, 'let me know what you think')
29 // account for image-as-content
30 or (
31 length(body.current_thread.text) < 10
32 and (
33 regex.icontains(beta.ocr(file.message_screenshot()).text,
34 '\b(document\s+I\s+sent|proposal\s+document|see\s+the\s+below|document.*review|file.*review|let\s+me\s+know\s+what\s+you\s+think|shared.{0,50}document)\b'
35 )
36 or strings.icontains(beta.ocr(file.message_screenshot()).text,
37 'document I sent'
38 )
39 or strings.icontains(beta.ocr(file.message_screenshot()).text,
40 'proposal document'
41 )
42 or strings.icontains(beta.ocr(file.message_screenshot()).text,
43 'let me know what you think'
44 )
45 )
46 )
47 )
48 // has links that look like file attachments but aren't
49 and any(body.links,
50 // display text looks like a file
51 (
52 regex.icontains(.display_text,
53 '\.(pdf|doc|docx|goto|xls|xlsx|ppt|pptx)'
54 )
55 or regex.icontains(.display_text, '\d+kb|\d+mb')
56 or strings.icontains(.display_text, 'document')
57 or strings.icontains(.display_text, 'proposal')
58 or strings.icontains(.display_text, 'review')
59 // account for image-as-content
60 or (length(body.current_thread.text) < 10 and length(body.links) == 1)
61 )
62 // but the URL doesn't point to legitimate file sharing
63 and .href_url.domain.root_domain not in (
64 "sharepoint.com",
65 "google.com",
66 "drive.google.com",
67 "dropbox.com",
68 "box.com",
69 "onedrive.com",
70 "1drv.ms",
71 "aka.ms",
72 "microsoft.com",
73 "office.com",
74 "docusign.com",
75 "adobesign.com",
76 "hellosign.com",
77 "signable.app"
78 )
79 // and points to suspicious domains
80 and (
81 .href_url.domain.tld in $suspicious_tlds
82 or .href_url.domain.root_domain in $url_shorteners
83 or .href_url.domain.domain in $url_shorteners
84 or .href_url.domain.root_domain in $free_file_hosts
85 or .href_url.domain.domain in $free_file_hosts
86 // or it's a forms/survey platform being abused in self_service_creation_platform_domains
87 or .href_url.domain.root_domain in $self_service_creation_platform_domains
88 or .href_url.domain.domain in $self_service_creation_platform_domains
89 )
90 )
91 // negate highly trusted sender domains unless they fail DMARC authentication
92 and (
93 (
94 sender.email.domain.root_domain in $high_trust_sender_root_domains
95 and not headers.auth_summary.dmarc.pass
96 )
97 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
98 )
99 and (
100 profile.by_sender().solicited == false
101 or profile.by_sender_email().prevalence == "new"
102 or profile.by_sender_email().days_since.last_contact > 30
103 or (
104 profile.by_sender().any_messages_malicious_or_spam
105 and not profile.by_sender().any_messages_benign
106 )
107 // or it's a spoof of the org_domain
108 or (
109 sender.email.domain.domain in $org_domains
110 and not (
111 headers.auth_summary.spf.pass
112 or coalesce(headers.auth_summary.dmarc.pass, false)
113 )
114 )
115 )
116 and not profile.by_sender().any_messages_benign
117
118attack_types:
119 - "Credential Phishing"
120 - "BEC/Fraud"
121tactics_and_techniques:
122 - "Social engineering"
123 - "Evasion"
124 - "Impersonation: Employee"
125detection_methods:
126 - "Content analysis"
127 - "Natural Language Understanding"
128 - "URL analysis"
129 - "Sender analysis"
130id: "9f0e1d2c-3b4a-5c6d-7e8f-9a0b1c2d3e4f"