Credential phishing: Generic document sharing
Detects credential phishing attempts using generic document sharing language where the sender claims to have sent a document for review, but the link doesn't point to legitimate file sharing services.
Sublime rule (View on GitHub)
1name: "Credential phishing: Generic document sharing"
2description: |
3 Detects credential phishing attempts using generic document sharing language
4 where the sender claims to have sent a document for review, but the link
5 doesn't point to legitimate file sharing services.
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 // exclude if it's a reply to an existing conversation
11 and (
12 not length(body.previous_threads) > 0
13 // still match if self-sender BCC pattern
14 or (
15 length(recipients.to) == 1
16 and length(recipients.cc) == 0
17 and sender.email.email == recipients.to[0].email.email
18 )
19 )
20 and (
21 // subject contains document sharing language
22 regex.icontains(subject.base,
23 '\b(has\s+sent\s+you|sent\s+you|shared\s+with\s+you|document\s+to\s+review|document\s*(number|num|#)|file\s+to\s+review|proposal\s+document|new\s+document|document\s+.{0,20}(assigned|available)|(complete|review|shared?).{0,20}agreement.{0,20}|document\s+(?:transfer|shared))\b'
24 )
25 or strings.icontains(subject.subject, 'document to review')
26 or strings.icontains(subject.subject, 'file to review')
27 or strings.icontains(subject.subject, 'sent you')
28 or strings.icontains(subject.subject, 'eDocuments Notification')
29 // or recipient's SLD is the subject
30 or (
31 subject.base == sender.email.domain.sld
32 // account for near-matches
33 or (
34 length(subject.base) < length(sender.email.domain.sld)
35 and any([subject.base], strings.icontains(sender.email.domain.sld, .))
36 )
37 )
38 // blank subject with recipient SLD in message body
39 or (
40 (length(subject.base) == 0 or subject.base is null)
41 and any(recipients.to,
42 strings.istarts_with(body.current_thread.text, .email.domain.sld)
43 )
44 )
45 )
46 and (
47 // body contains document sharing language
48 regex.icontains(body.current_thread.text,
49 '\b(?:document\s+I\s+sent|proposal\s+document|(?:proposal|documents?)\s+for\s+your\s+(?:approval|consideration|review|signature)|see\s+the\s+below|document.*(?:review|posted)|file.*review|let\s+me\s+know\s+what\s+you\s+think|shared.{0,50}document|(?:review\s+and\s+)?sign\s+your\s+document|electronic\s+signature\s+required)\b'
50 )
51 or strings.icontains(body.current_thread.text, 'document I sent')
52 or strings.icontains(body.current_thread.text, 'proposal document')
53 or strings.icontains(body.current_thread.text, 'let me know what you think')
54 // account for image-as-content
55 or (
56 length(body.current_thread.text) < 10
57 and (
58 regex.icontains(beta.ocr(file.message_screenshot()).text,
59 '\b(document\s+I\s+sent|proposal\s+document|see\s+the\s+below|document.*review|file.*review|let\s+me\s+know\s+what\s+you\s+think|shared.{0,50}document)\b'
60 )
61 or strings.icontains(beta.ocr(file.message_screenshot()).text,
62 'document I sent'
63 )
64 or strings.icontains(beta.ocr(file.message_screenshot()).text,
65 'proposal document'
66 )
67 or strings.icontains(beta.ocr(file.message_screenshot()).text,
68 'let me know what you think'
69 )
70 )
71 )
72 )
73 // has links that look like file attachments but aren't
74 and any(filter(body.links,
75 // display text looks like a file
76 (
77 regex.icontains(.display_text,
78 '\.(pdf|doc|docx|goto|xls|xlsx|ppt|pptx)'
79 )
80 or regex.icontains(.display_text, '\d+kb|\d+mb')
81 or strings.icontains(.display_text, 'document')
82 or strings.icontains(.display_text, 'proposal')
83 or strings.icontains(.display_text, 'review')
84 // account for image-as-content
85 or (
86 length(body.current_thread.text) < 10
87 and length(body.links) == 1
88 )
89 )
90 // but the URL doesn't point to legitimate file sharing
91 and .href_url.domain.root_domain not in (
92 "sharepoint.com",
93 "google.com",
94 "dropbox.com",
95 "box.com",
96 "onedrive.com",
97 "1drv.ms",
98 "aka.ms",
99 "microsoft.com",
100 "office.com",
101 "docusign.com",
102 "adobesign.com",
103 "hellosign.com",
104 "signable.app"
105 )
106 and .href_url.domain.domain not in ("drive.google.com")
107 ),
108 // and points to suspicious domains
109 .href_url.domain.tld in $suspicious_tlds
110 or .href_url.domain.root_domain in $url_shorteners
111 or .href_url.domain.domain in $url_shorteners
112 or .href_url.domain.root_domain in $free_file_hosts
113 or .href_url.domain.domain in $free_file_hosts
114 // or it's a forms/survey platform being abused in self_service_creation_platform_domains
115 or .href_url.domain.root_domain in $self_service_creation_platform_domains
116 or .href_url.domain.domain in $self_service_creation_platform_domains
117 // bulk mailer abuse has been observed
118 or (
119 (
120 .href_url.domain.root_domain in $bulk_mailer_url_root_domains
121 or (
122 .href_url.rewrite.original is not null
123 and 'mandrill' in .href_url.rewrite.encoders
124 )
125 )
126 and .href_url.domain.sld not in $org_slds
127 )
128 // or the page redirects to common website, observed when evasion happens
129 or (
130 length(ml.link_analysis(., mode="aggressive").redirect_history) > 0
131 and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
132 )
133 // or common email marketing/tracking patterns
134 or regex.match(.href_url.url, 'url\d+\..*\.com/ls/click')
135 or regex.match(.href_url.path, '/ls/click|/click|/c/')
136 )
137 // negate highly trusted sender domains unless they fail DMARC authentication
138 and (
139 (
140 sender.email.domain.root_domain in $high_trust_sender_root_domains
141 and not headers.auth_summary.dmarc.pass
142 )
143 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
144 )
145 and (
146 profile.by_sender().solicited == false
147 or profile.by_sender_email().prevalence == "new"
148 or profile.by_sender_email().days_since.last_contact > 30
149 or (
150 profile.by_sender().any_messages_malicious_or_spam
151 and not profile.by_sender().any_messages_benign
152 )
153 // or it's a spoof of the org_domain
154 or (
155 sender.email.domain.domain in $org_domains
156 and not (
157 headers.auth_summary.spf.pass
158 or coalesce(headers.auth_summary.dmarc.pass, false)
159 )
160 )
161 )
162 and not profile.by_sender().any_messages_benign
163attack_types:
164 - "Credential Phishing"
165 - "BEC/Fraud"
166tactics_and_techniques:
167 - "Social engineering"
168 - "Evasion"
169 - "Impersonation: Employee"
170detection_methods:
171 - "Content analysis"
172 - "Natural Language Understanding"
173 - "URL analysis"
174 - "Sender analysis"
175id: "9f0e1d2c-3b4a-5c6d-7e8f-9a0b1c2d3e4f"