Credential phishing: Generic document sharing

Detects credential phishing attempts using generic document sharing language where the sender claims to have sent a document for review, but the link doesn't point to legitimate file sharing services.

Sublime rule (View on GitHub)

  1name: "Credential phishing: Generic document sharing"
  2description: |
  3  Detects credential phishing attempts using generic document sharing language
  4  where the sender claims to have sent a document for review, but the link
  5  doesn't point to legitimate file sharing services.  
  6type: "rule"
  7severity: "medium"
  8source: |
  9  type.inbound
 10  // exclude if it's a reply to an existing conversation
 11  and (
 12    not length(body.previous_threads) > 0
 13    // still match if self-sender BCC pattern
 14    or (
 15      length(recipients.to) == 1
 16      and length(recipients.cc) == 0
 17      and sender.email.email == recipients.to[0].email.email
 18    )
 19  )
 20  and (
 21    // subject contains document sharing language
 22    regex.icontains(subject.base,
 23                    '\b(has\s+sent\s+you|sent\s+you|shared\s+with\s+you|document\s+to\s+review|document\s*(number|num|#)|file\s+to\s+review|proposal\s+document|new\s+document|document\s+.{0,20}(assigned|available)|(complete|review|shared?).{0,20}agreement.{0,20}|document\s+(?:transfer|shared))\b'
 24    )
 25    or strings.icontains(subject.subject, 'document to review')
 26    or strings.icontains(subject.subject, 'file to review')
 27    or strings.icontains(subject.subject, 'sent you')
 28    or strings.icontains(subject.subject, 'eDocuments Notification')
 29    // or recipient's SLD is the subject
 30    or (
 31      subject.base == sender.email.domain.sld
 32      // account for near-matches
 33      or (
 34        length(subject.base) < length(sender.email.domain.sld)
 35        and any([subject.base], strings.icontains(sender.email.domain.sld, .))
 36      )
 37    )
 38    // blank subject with recipient SLD in message body
 39    or (
 40      (length(subject.base) == 0 or subject.base is null)
 41      and any(recipients.to,
 42              strings.istarts_with(body.current_thread.text, .email.domain.sld)
 43      )
 44    )
 45  )
 46  and (
 47    // body contains document sharing language
 48    regex.icontains(body.current_thread.text,
 49                    '\b(?:document\s+I\s+sent|proposal\s+document|(?:proposal|documents?)\s+for\s+your\s+(?:approval|consideration|review|signature)|see\s+the\s+below|document.*(?:review|posted)|file.*review|let\s+me\s+know\s+what\s+you\s+think|shared.{0,50}document|(?:review\s+and\s+)?sign\s+your\s+document|electronic\s+signature\s+required)\b'
 50    )
 51    or strings.icontains(body.current_thread.text, 'document I sent')
 52    or strings.icontains(body.current_thread.text, 'proposal document')
 53    or strings.icontains(body.current_thread.text, 'let me know what you think')
 54    // account for image-as-content
 55    or (
 56      length(body.current_thread.text) < 10
 57      and (
 58        regex.icontains(beta.ocr(file.message_screenshot()).text,
 59                        '\b(document\s+I\s+sent|proposal\s+document|see\s+the\s+below|document.*review|file.*review|let\s+me\s+know\s+what\s+you\s+think|shared.{0,50}document)\b'
 60        )
 61        or strings.icontains(beta.ocr(file.message_screenshot()).text,
 62                             'document I sent'
 63        )
 64        or strings.icontains(beta.ocr(file.message_screenshot()).text,
 65                             'proposal document'
 66        )
 67        or strings.icontains(beta.ocr(file.message_screenshot()).text,
 68                             'let me know what you think'
 69        )
 70      )
 71    )
 72  )
 73  // has links that look like file attachments but aren't
 74  and any(filter(body.links,
 75                 // display text looks like a file
 76                 (
 77                   regex.icontains(.display_text,
 78                                   '\.(pdf|doc|docx|goto|xls|xlsx|ppt|pptx)'
 79                   )
 80                   or regex.icontains(.display_text, '\d+kb|\d+mb')
 81                   or strings.icontains(.display_text, 'document')
 82                   or strings.icontains(.display_text, 'proposal')
 83                   or strings.icontains(.display_text, 'review')
 84                   // account for image-as-content
 85                   or (
 86                     length(body.current_thread.text) < 10
 87                     and length(body.links) == 1
 88                   )
 89                 )
 90                 // but the URL doesn't point to legitimate file sharing
 91                 and .href_url.domain.root_domain not in (
 92                   "sharepoint.com",
 93                   "google.com",
 94                   "dropbox.com",
 95                   "box.com",
 96                   "onedrive.com",
 97                   "1drv.ms",
 98                   "aka.ms",
 99                   "microsoft.com",
100                   "office.com",
101                   "docusign.com",
102                   "adobesign.com",
103                   "hellosign.com",
104                   "signable.app"
105                 )
106                 and .href_url.domain.domain not in ("drive.google.com")
107          ),
108          // and points to suspicious domains
109          .href_url.domain.tld in $suspicious_tlds
110          or .href_url.domain.root_domain in $url_shorteners
111          or .href_url.domain.domain in $url_shorteners
112          or .href_url.domain.root_domain in $free_file_hosts
113          or .href_url.domain.domain in $free_file_hosts
114          // or it's a forms/survey platform being abused in self_service_creation_platform_domains
115          or .href_url.domain.root_domain in $self_service_creation_platform_domains
116          or .href_url.domain.domain in $self_service_creation_platform_domains
117          // bulk mailer abuse has been observed
118          or (
119            (
120              .href_url.domain.root_domain in $bulk_mailer_url_root_domains
121              or (
122                .href_url.rewrite.original is not null
123                and 'mandrill' in .href_url.rewrite.encoders
124              )
125            )
126            and .href_url.domain.sld not in $org_slds
127          )
128          // or the page redirects to common website, observed when evasion happens
129          or (
130            length(ml.link_analysis(., mode="aggressive").redirect_history) > 0
131            and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
132          )
133          // or common email marketing/tracking patterns
134          or regex.match(.href_url.url, 'url\d+\..*\.com/ls/click')
135          or regex.match(.href_url.path, '/ls/click|/click|/c/')
136  )
137  // negate highly trusted sender domains unless they fail DMARC authentication
138  and (
139    (
140      sender.email.domain.root_domain in $high_trust_sender_root_domains
141      and not headers.auth_summary.dmarc.pass
142    )
143    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
144  )
145  and (
146    profile.by_sender().solicited == false
147    or profile.by_sender_email().prevalence == "new"
148    or profile.by_sender_email().days_since.last_contact > 30
149    or (
150      profile.by_sender().any_messages_malicious_or_spam
151      and not profile.by_sender().any_messages_benign
152    )
153    // or it's a spoof of the org_domain
154    or (
155      sender.email.domain.domain in $org_domains
156      and not (
157        headers.auth_summary.spf.pass
158        or coalesce(headers.auth_summary.dmarc.pass, false)
159      )
160    )
161  )
162  and not profile.by_sender().any_messages_benign  
163attack_types:
164  - "Credential Phishing"
165  - "BEC/Fraud"
166tactics_and_techniques:
167  - "Social engineering"
168  - "Evasion"
169  - "Impersonation: Employee"
170detection_methods:
171  - "Content analysis"
172  - "Natural Language Understanding"
173  - "URL analysis"
174  - "Sender analysis"
175id: "9f0e1d2c-3b4a-5c6d-7e8f-9a0b1c2d3e4f"
to-top