Credential Phishing: Suspicious subject with urgent financial request and link

This rule inspects messages where the subject is suspicious with less than 5 links and a relatively short body. Natural Language Understanding is being used to identify the inclusion of a financial, request, urgency and org entity from an unsolicited sender.

Sublime rule (View on GitHub)

  1name: "Credential Phishing: Suspicious subject with urgent financial request and link"
  2description: "This rule inspects messages where the subject is suspicious with less than 5 links and a relatively short body. Natural Language Understanding is being used to identify the inclusion of a financial, request, urgency and org entity from an unsolicited sender."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and 0 < length(body.links) < 5
  8  
  9  // negate webinar registrations
 10  and not any(body.links,
 11              .display_text =~ "REGISTER NOW"
 12              and .href_url.domain.root_domain == "secureclick.net"
 13  )
 14  
 15  // not all links are unsubscribe links
 16  and not all(body.links,
 17              strings.icontains(.display_text, "unsubscribe")
 18              and strings.icontains(.href_url.path, "unsubscribe")
 19  )
 20  
 21  // ignore emails in body
 22  and not all(body.links, .href_url.domain.domain in $free_email_providers)
 23  and length(body.current_thread.text) < 2000
 24  and length(subject.subject) < 100
 25  
 26  // and suspicious subject
 27  and regex.icontains(subject.subject,
 28                      // https://github.com/sublime-security/static-files/blob/master/suspicious_subjects_regex.txt
 29                      "termination.*notice",
 30                      "38417",
 31                      ":completed",
 32                      "[il1]{2}mit.*ma[il1]{2} ?bo?x",
 33                      "[il][il][il]egai[ -]",
 34                      "[li][li][li]ega[li] attempt",
 35                      "[ng]-?[io]n .*block",
 36                      "[ng]-?[io]n .*cancel",
 37                      "[ng]-?[io]n .*deactiv",
 38                      "[ng]-?[io]n .*disabl",
 39                      "action.*required",
 40                      "abandon.*package",
 41                      "about.your.account",
 42                      "acc(ou)?n?t (is )?on ho[li]d",
 43                      "acc(ou)?n?t.*terminat",
 44                      "acc(oun)?t.*[il1]{2}mitation",
 45                      "access.*limitation",
 46                      "account (will be )?block",
 47                      "account.*de-?activat",
 48                      "account.*locked",
 49                      "account.*re-verification",
 50                      "account.*security",
 51                      "account.*suspension",
 52                      "account.has.been",
 53                      "account.has.expired",
 54                      "account.will.be.blocked",
 55                      "account v[il]o[li]at",
 56                      "activity.*acc(oun)?t",
 57                      "almost.full",
 58                      "app[li]e.[il]d",
 59                      "authenticate.*account",
 60                      "been.*suspend",
 61                      "clos.*of.*account.*processed",
 62                      "confirm.your.account",
 63                      "courier.*able",
 64                      "deactivation.*in.*progress",
 65                      "delivery.*attempt.*failed",
 66                      "document.received",
 67                      "documented.*shared.*with.*you",
 68                      "dropbox.*document",
 69                      "e-?ma[il1]+ .{010}suspen",
 70                      "e-?ma[il1]{1} user",
 71                      "e-?ma[il1]{2} acc",
 72                      "e-?ma[il1]{2}.*up.?grade",
 73                      "e.?ma[il1]{2}.*server",
 74                      "e.?ma[il1]{2}.*suspend",
 75                      "email.update",
 76                      "faxed you",
 77                      "fraud(ulent)?.*charge",
 78                      "from.helpdesk",
 79                      "fu[il1]{2}.*ma[il1]+[ -]?box",
 80                      "has.been.*suspended",
 81                      "has.been.limited",
 82                      "have.locked",
 83                      "he[li]p ?desk upgrade",
 84                      "heipdesk",
 85                      "i[il]iega[il]",
 86                      "ii[il]ega[il]",
 87                      "incoming e?mail",
 88                      "incoming.*fax",
 89                      "lock.*security",
 90                      "ma[il1]{1}[ -]?box.*quo",
 91                      "ma[il1]{2}[ -]?box.*fu[il1]",
 92                      "ma[il1]{2}box.*[il1]{2}mit",
 93                      "ma[il1]{2}box stor",
 94                      "mail on.?hold",
 95                      "mail.*box.*migration",
 96                      "mail.*de-?activat",
 97                      "mail.update.required",
 98                      "mails.*pending",
 99                      "messages.*pending",
100                      "missed.*shipping.*notification",
101                      "missed.shipment.notification",
102                      "must.update.your.account",
103                      "new [sl][io]g?[nig][ -]?in from",
104                      "new voice ?-?mail",
105                      "notifications.*pending",
106                      "office.*3.*6.*5.*suspend",
107                      "office365",
108                      "on google docs with you",
109                      "online doc",
110                      "password.*compromised",
111                      "periodic maintenance",
112                      "potential(ly)? unauthorized",
113                      "refund not approved",
114                      "revised.*policy",
115                      "scam",
116                      "scanned.?invoice",
117                      "secured?.update",
118                      "security breach",
119                      "securlty",
120                      "signed.*delivery",
121                      "status of your .{314}? ?delivery",
122                      "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
123                      "suspicious.*sign.*[io]n",
124                      "suspicious.activit",
125                      "temporar(il)?y deactivate",
126                      "temporar[il1]{2}y disab[li]ed",
127                      "temporarily.*lock",
128                      "un-?usua[li].activity",
129                      "unable.*deliver",
130                      "unauthorized.*activit",
131                      "unauthorized.device",
132                      "unauthorized.sign.?in",
133                      "unrecognized.*activit",
134                      "unrecognized.sign.?in",
135                      "unrecognized.*activit",
136                      "undelivered message",
137                      "unread.*doc",
138                      "unusual.activity",
139                      "upgrade.*account",
140                      "upgrade.notice",
141                      "urgent message",
142                      "urgent.verification",
143                      "v[il1]o[li1]at[il1]on security",
144                      "va[il1]{1}date.*ma[il1]{2}[ -]?box",
145                      "verification ?-?require",
146                      "verification( )?-?need",
147                      "verify.your?.account",
148                      "web ?-?ma[il1]{2}",
149                      "web[ -]?ma[il1]{2}",
150                      "will.be.suspended",
151                      "your (customer )?account .as",
152                      "your.office.365",
153                      "your.online.access",
154  
155                      // https://github.com/sublime-security/static-files/blob/master/suspicious_subjects.txt
156                      "account has been limited",
157                      "action required",
158                      "almost full",
159                      "apd notifi cation",
160                      "are you at your desk",
161                      "are you available",
162                      "attached file to docusign",
163                      "banking is temporarily unavailable",
164                      "bankofamerica",
165                      "closing statement invoice",
166                      "completed: docusign",
167                      "de-activation of",
168                      "delivery attempt",
169                      "delivery stopped for shipment",
170                      "detected suspicious",
171                      "detected suspicious actvity",
172                      "docu sign",
173                      "document for you",
174                      "document has been sent to you via docusign",
175                      "document is ready for signature",
176                      "docusign",
177                      "encrypted message",
178                      "failed delivery",
179                      "fedex tracking",
180                      "file was shared",
181                      "freefax",
182                      "fwd: due invoice paid",
183                      "has shared",
184                      "inbox is full",
185                      "invitation to comment",
186                      "invitation to edit",
187                      "invoice due",
188                      "left you a message",
189                      "message from",
190                      "new message",
191                      "new voicemail",
192                      "on desk",
193                      "out of space",
194                      "password reset",
195                      "payment status",
196                      "quick reply",
197                      "re: w-2",
198                      "required",
199                      "required: completed docusign",
200                      "ringcentral",
201                      "scanned image",
202                      "secured files",
203                      "secured pdf",
204                      "security alert",
205                      "new sign-in",
206                      "new sign in",
207                      "sign-in attempt",
208                      "sign in attempt",
209                      "staff review",
210                      "suspicious activity",
211                      "unrecognized login attempt",
212                      "upgrade immediately",
213                      "urgent",
214                      "wants to share",
215                      "w2",
216                      "you have notifications pending",
217                      "your account",
218                      "your amazon order",
219                      "your document settlement",
220                      "your order with amazon",
221                      "your password has been compromised",
222  )
223  
224  // language attempting to engage
225  and any(ml.nlu_classifier(body.current_thread.text).entities,
226          .name == "request"
227  )
228  
229  // financial request
230  and any(ml.nlu_classifier(body.current_thread.text).entities,
231          .name == "financial"
232  )
233  
234  // urgency request
235  and any(ml.nlu_classifier(body.current_thread.text).entities,
236          .name == "urgency"
237  )
238  
239  // org presence
240  and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "org")
241  
242  // not a reply
243  and (
244    not strings.istarts_with(subject.subject, "re:")
245    and not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
246  )
247  
248  // the message is unsolicited and no false positives
249  and (
250    not profile.by_sender().solicited
251    or profile.by_sender().any_messages_malicious_or_spam
252  )
253  and not profile.by_sender().any_false_positives
254  
255  // negate highly trusted sender domains unless they fail DMARC authentication
256  and (
257    (
258      sender.email.domain.root_domain in $high_trust_sender_root_domains
259      and (
260        any(distinct(headers.hops, .authentication_results.dmarc is not null),
261            strings.ilike(.authentication_results.dmarc, "*fail")
262        )
263      )
264    )
265    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
266  )
267  
268  // negation the only link is the senders email
269  and not (
270    regex.contains(body.current_thread.text,
271                   "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
272    )
273    and (
274      all(body.links, .href_url.domain.root_domain == sender.email.domain.domain)
275    )
276  )  
277
278attack_types:
279  - "Credential Phishing"
280tactics_and_techniques:
281  - "Impersonation: Brand"
282  - "Social engineering"
283detection_methods:
284  - "Content analysis"
285  - "Header analysis"
286  - "Natural Language Understanding"
287  - "Sender analysis"
288id: "056464f4-7a16-5f07-ab86-912e0a64ecae"
to-top