Credential phishing: Re-Authentication lure
Contains suspicious links and server-related terminology, requesting email account reauthentication with language targeting recipient credentials.
Sublime rule (View on GitHub)
1name: "Credential phishing: Re-Authentication lure"
2description: "Contains suspicious links and server-related terminology, requesting email account reauthentication with language targeting recipient credentials."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(body.current_thread.text) < 2000
8 and length(body.links) < 10
9 and (
10 any(ml.nlu_classifier(body.current_thread.text).intents,
11 .name == "cred_theft" and .confidence == "high"
12 )
13 or ml.nlu_classifier(body.current_thread.text).language != "english"
14 )
15 and any(ml.nlu_classifier(body.current_thread.text).topics,
16 .name == "Security and Authentication" and .confidence == "high"
17 )
18
19 // email server language
20 and 3 of (
21 strings.icontains(body.current_thread.text, "security token"),
22 strings.icontains(body.current_thread.text, "still active"),
23 any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency"),
24 regex.icontains(body.current_thread.text, 're[- ]?activat(e|ing)'),
25 regex.contains(body.current_thread.text, '\bMX\b'),
26 strings.icontains(body.current_thread.text, "mail servers"),
27 strings.icontains(body.current_thread.text, "email termination"),
28 strings.icontains(body.current_thread.text, "locked out"),
29 strings.icontains(body.current_thread.text, "email account"),
30 strings.icontains(body.current_thread.text, "credential"),
31 strings.icontains(subject.base, "disconnection"),
32 any(recipients.to,
33 .email.domain.valid and strings.icontains(subject.base, .email.email)
34 ),
35 any(recipients.to,
36 .email.domain.valid
37 and strings.icontains(body.current_thread.text,
38 strings.concat("dear ", .email.local_part)
39 )
40 ),
41 any(recipients.to,
42 .email.domain.valid
43 and strings.icontains(body.current_thread.text,
44 strings.concat(.email.domain.root_domain, " server")
45 )
46 ),
47 any(recipients.to,
48 .email.domain.valid
49 and strings.icontains(body.current_thread.text,
50 strings.concat(.email.domain.root_domain,
51 " server"
52 )
53 )
54 ),
55 any(recipients.to,
56 .email.domain.valid
57 and strings.icontains(body.current_thread.text,
58 strings.concat("attn: ", .email.local_part)
59 )
60 ),
61 any(recipients.to,
62 .email.domain.valid
63 and strings.icount(body.current_thread.text, .email.email) > 1
64 )
65 )
66
67 // suspicious link
68 and 2 of (
69 any(filter(body.links,
70 .href_url.domain.root_domain != sender.email.domain.root_domain
71 ),
72 regex.match(.display_text, '[A-Z ]+')
73 ),
74 any(filter(body.links,
75 .href_url.domain.root_domain != sender.email.domain.root_domain
76 ),
77 strings.icontains(.display_text, 'update')
78 ),
79 any(filter(body.links,
80 .href_url.domain.root_domain != sender.email.domain.root_domain
81 ),
82 strings.icontains(.display_text, 'confirm')
83 ),
84 any(filter(body.links,
85 .href_url.domain.root_domain != sender.email.domain.root_domain
86 ),
87 strings.icontains(.display_text, 'resolve')
88 ),
89 any(filter(body.links,
90 .href_url.domain.root_domain != sender.email.domain.root_domain
91 ),
92 strings.icontains(.display_text, 'auth')
93 ),
94 any(filter(body.links,
95 .href_url.domain.root_domain != sender.email.domain.root_domain
96 ),
97 .href_url.domain.root_domain == "ru.com"
98 ),
99 any(filter(body.links,
100 .href_url.domain.root_domain != sender.email.domain.root_domain
101 ),
102 .href_url.path == "/lt.php"
103 ),
104 any(filter(body.links,
105 .href_url.domain.root_domain != sender.email.domain.root_domain
106 ),
107 .href_url.domain.tld in $suspicious_tlds
108 ),
109 any(recipients.to,
110 .email.domain.valid
111 and any(filter(body.links,
112 .href_url.domain.root_domain != sender.email.domain.root_domain
113 ),
114 strings.icontains(.href_url.url, ..email.email)
115 )
116 ),
117 any(recipients.to,
118 .email.domain.valid
119 and any(filter(body.links,
120 .href_url.domain.root_domain != sender.email.domain.root_domain
121 ),
122 strings.icontains(.display_text, ..email.email)
123 )
124 ),
125 (
126 any(filter(body.links,
127 .href_url.domain.root_domain != sender.email.domain.root_domain
128 ),
129 .href_url.domain.domain in $free_file_hosts
130 )
131 or any(filter(body.links,
132 .href_url.domain.root_domain != sender.email.domain.root_domain
133 ),
134 .href_url.domain.root_domain in $free_file_hosts
135 )
136 ),
137 (
138 any(filter(body.links,
139 .href_url.domain.root_domain != sender.email.domain.root_domain
140 ),
141 .href_url.domain.domain in $free_subdomain_hosts
142 )
143 or any(filter(body.links,
144 .href_url.domain.root_domain != sender.email.domain.root_domain
145 ),
146 .href_url.domain.root_domain in $free_subdomain_hosts
147 )
148 )
149 )
150 // and the sender is not from high trust sender root domains
151 and (
152 (
153 sender.email.domain.root_domain in $high_trust_sender_root_domains
154 and not headers.auth_summary.dmarc.pass
155 )
156 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
157 )
158
159attack_types:
160 - "Credential Phishing"
161tactics_and_techniques:
162 - "Social engineering"
163 - "Impersonation: Brand"
164detection_methods:
165 - "Natural Language Understanding"
166 - "Content analysis"
167 - "URL analysis"
168 - "Header analysis"
169 - "Sender analysis"
170id: "2e45d3de-5cbf-57cf-b76d-88286c5ff58e"