Credential phishing: Generic document sharing
Detects credential phishing attempts using generic document sharing language where the sender claims to have sent a document for review, but the link doesn't point to legitimate file sharing services.
Sublime rule (View on GitHub)
1name: "Credential phishing: Generic document sharing"
2description: |
3 Detects credential phishing attempts using generic document sharing language
4 where the sender claims to have sent a document for review, but the link
5 doesn't point to legitimate file sharing services.
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 // exclude if it's a reply to an existing conversation
11 and not length(body.previous_threads) > 0
12 and (
13 // subject contains document sharing language
14 regex.icontains(subject.base,
15 '\b(has\s+sent\s+you|sent\s+you|shared\s+with\s+you|document\s+to\s+review|document\s*(number|num|#)|file\s+to\s+review|proposal\s+document|new\s+document|document\s+.{0,20}assigned|(complete|review|shared?).{0,20}agreement.{0,20})\b'
16 )
17 or strings.icontains(subject.subject, 'document to review')
18 or strings.icontains(subject.subject, 'file to review')
19 or strings.icontains(subject.subject, 'sent you')
20 // or recipient's SLD is the subject
21 or (
22 subject.base == sender.email.domain.sld
23 // account for near-matches
24 or (
25 length(subject.base) < length(sender.email.domain.sld)
26 and any([subject.base], strings.icontains(sender.email.domain.sld, .))
27 )
28 )
29 )
30 and (
31 // body contains document sharing language
32 regex.icontains(body.current_thread.text,
33 '\b(document\s+I\s+sent|proposal\s+document|(proposal|documents?)\s+for\s+your\s+(approval|consideration|review|signature)|see\s+the\s+below|document.*review|file.*review|let\s+me\s+know\s+what\s+you\s+think|shared.{0,50}document)\b'
34 )
35 or strings.icontains(body.current_thread.text, 'document I sent')
36 or strings.icontains(body.current_thread.text, 'proposal document')
37 or strings.icontains(body.current_thread.text, 'let me know what you think')
38 // account for image-as-content
39 or (
40 length(body.current_thread.text) < 10
41 and (
42 regex.icontains(beta.ocr(file.message_screenshot()).text,
43 '\b(document\s+I\s+sent|proposal\s+document|see\s+the\s+below|document.*review|file.*review|let\s+me\s+know\s+what\s+you\s+think|shared.{0,50}document)\b'
44 )
45 or strings.icontains(beta.ocr(file.message_screenshot()).text,
46 'document I sent'
47 )
48 or strings.icontains(beta.ocr(file.message_screenshot()).text,
49 'proposal document'
50 )
51 or strings.icontains(beta.ocr(file.message_screenshot()).text,
52 'let me know what you think'
53 )
54 )
55 )
56 )
57 // has links that look like file attachments but aren't
58 and any(filter(body.links,
59 // display text looks like a file
60 (
61 regex.icontains(.display_text,
62 '\.(pdf|doc|docx|goto|xls|xlsx|ppt|pptx)'
63 )
64 or regex.icontains(.display_text, '\d+kb|\d+mb')
65 or strings.icontains(.display_text, 'document')
66 or strings.icontains(.display_text, 'proposal')
67 or strings.icontains(.display_text, 'review')
68 // account for image-as-content
69 or (
70 length(body.current_thread.text) < 10
71 and length(body.links) == 1
72 )
73 )
74 // but the URL doesn't point to legitimate file sharing
75 and .href_url.domain.root_domain not in (
76 "sharepoint.com",
77 "google.com",
78 "drive.google.com",
79 "dropbox.com",
80 "box.com",
81 "onedrive.com",
82 "1drv.ms",
83 "aka.ms",
84 "microsoft.com",
85 "office.com",
86 "docusign.com",
87 "adobesign.com",
88 "hellosign.com",
89 "signable.app"
90 )
91 ),
92 // and points to suspicious domains
93 .href_url.domain.tld in $suspicious_tlds
94 or .href_url.domain.root_domain in $url_shorteners
95 or .href_url.domain.domain in $url_shorteners
96 or .href_url.domain.root_domain in $free_file_hosts
97 or .href_url.domain.domain in $free_file_hosts
98 // or it's a forms/survey platform being abused in self_service_creation_platform_domains
99 or .href_url.domain.root_domain in $self_service_creation_platform_domains
100 or .href_url.domain.domain in $self_service_creation_platform_domains
101 // bulk mailer abuse has been observed
102 or (
103 .href_url.domain.root_domain in $bulk_mailer_url_root_domains
104 and .href_url.domain.sld not in $org_slds
105 )
106 // or the page redirects to common website, observed when evasion happens
107 or (
108 length(ml.link_analysis(., mode="aggressive").redirect_history) > 0
109 and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
110 )
111 )
112 // negate highly trusted sender domains unless they fail DMARC authentication
113 and (
114 (
115 sender.email.domain.root_domain in $high_trust_sender_root_domains
116 and not headers.auth_summary.dmarc.pass
117 )
118 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
119 )
120 and (
121 profile.by_sender().solicited == false
122 or profile.by_sender_email().prevalence == "new"
123 or profile.by_sender_email().days_since.last_contact > 30
124 or (
125 profile.by_sender().any_messages_malicious_or_spam
126 and not profile.by_sender().any_messages_benign
127 )
128 // or it's a spoof of the org_domain
129 or (
130 sender.email.domain.domain in $org_domains
131 and not (
132 headers.auth_summary.spf.pass
133 or coalesce(headers.auth_summary.dmarc.pass, false)
134 )
135 )
136 )
137 and not profile.by_sender().any_messages_benign
138
139attack_types:
140 - "Credential Phishing"
141 - "BEC/Fraud"
142tactics_and_techniques:
143 - "Social engineering"
144 - "Evasion"
145 - "Impersonation: Employee"
146detection_methods:
147 - "Content analysis"
148 - "Natural Language Understanding"
149 - "URL analysis"
150 - "Sender analysis"
151id: "9f0e1d2c-3b4a-5c6d-7e8f-9a0b1c2d3e4f"