Credential phishing: Suspicious subject with urgent financial request and link
This rule inspects messages where the subject is suspicious with less than 5 links and a relatively short body. Natural Language Understanding is being used to identify the inclusion of a financial, request, urgency and org entity from an unsolicited sender.
Sublime rule (View on GitHub)
1name: "Credential phishing: Suspicious subject with urgent financial request and link"
2description: "This rule inspects messages where the subject is suspicious with less than 5 links and a relatively short body. Natural Language Understanding is being used to identify the inclusion of a financial, request, urgency and org entity from an unsolicited sender."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 0 < length(filter(body.links,
9 not strings.ilike(.display_text,
10 "*privacy*",
11 "*terms of service*",
12 "Learn why this is important"
13 )
14 or .display_text is null
15 )
16 ) < 5
17 )
18
19 // negate webinar registrations
20 and not any(body.links,
21 .display_text =~ "REGISTER NOW"
22 and .href_url.domain.root_domain == "secureclick.net"
23 )
24
25 // not all links are unsubscribe links
26 and not all(body.links,
27 (
28 strings.icontains(.display_text, "unsubscribe")
29 and strings.icontains(.href_url.path, "unsubscribe")
30 )
31 or (
32 strings.icontains(.display_text, "deactivate")
33 and strings.icontains(.href_url.path, "DeactivateAccount")
34 )
35 )
36
37 // ignore emails in body
38 and not all(body.links, .href_url.domain.domain in $free_email_providers)
39 and length(body.current_thread.text) < 2000
40 and length(subject.subject) < 100
41
42 // and suspicious subject
43 and regex.icontains(subject.subject,
44 // https://github.com/sublime-security/static-files/blob/main/suspicious_subjects_regex.txt
45 "termination.*notice",
46 "38417",
47 ":completed",
48 "[il1]{2}mit.*ma[il1]{2} ?bo?x",
49 "[il][il][il]egai[ -]",
50 "[li][li][li]ega[li] attempt",
51 "[ng]-?[io]n .*block",
52 "[ng]-?[io]n .*cancel",
53 "[ng]-?[io]n .*deactiv",
54 "[ng]-?[io]n .*disabl",
55 "action.*required",
56 "abandon.*package",
57 "about.your.account",
58 "acc(ou)?n?t (is )?on ho[li]d",
59 "acc(ou)?n?t.*terminat",
60 "acc(oun)?t.*[il1]{2}mitation",
61 "access.*limitation",
62 "account (will be )?block",
63 "account.*de-?activat",
64 "account.*locked",
65 "account.*re-verification",
66 "account.*security",
67 "account.*suspension",
68 "account.has.been",
69 "account.has.expired",
70 "account.will.be.blocked",
71 "account v[il]o[li]at",
72 "activity.*acc(oun)?t",
73 "almost.full",
74 "app[li]e.[il]d",
75 "authenticate.*account",
76 "been.*suspend",
77 "clos.*of.*account.*processed",
78 "confirm.your.account",
79 "courier.*able",
80 "crediential.*notif",
81 "deactivation.*in.*progress",
82 "delivery.*attempt.*failed",
83 "document.(?:submitted|received)",
84 "documented.*shared.*with.*you",
85 "dropbox.*document",
86 "e-?ma[il1]+ .{010}suspen",
87 "e-?ma[il1]{1} user",
88 "e-?ma[il1]{2} acc",
89 "e-?ma[il1]{2}.*up.?grade",
90 "e.?ma[il1]{2}.*server",
91 "e.?ma[il1]{2}.*suspend",
92 "email.update",
93 "faxed you",
94 "^final reminder: .*(?:overdue|resolve|access ends)",
95 "fraud(ulent)?.*charge",
96 "from.helpdesk",
97 "fu[il1]{2}.*ma[il1]+[ -]?box",
98 "has.been.*suspended",
99 "has.been.limited",
100 "have.locked",
101 "he[li]p ?desk upgrade",
102 "heipdesk",
103 "i[il]iega[il]",
104 "ii[il]ega[il]",
105 "incoming e?mail",
106 "incoming.*fax",
107 "lock.*security",
108 "ma[il1]{1}[ -]?box.*quo",
109 "ma[il1]{2}[ -]?box.*fu[il1]",
110 "ma[il1]{2}box.*[il1]{2}mit",
111 "ma[il1]{2}box stor",
112 "mail on.?hold",
113 "mail.*box.*migration",
114 "mail.*de-?activat",
115 "mail.update.required",
116 "mails.*pending",
117 "messages.*pending",
118 "missed.*shipping.*notification",
119 "missed.shipment.notification",
120 "must.update.your.account",
121 "new [sl][io]g?[nig][ -]?in from",
122 "new voice ?-?mail",
123 "notifications.*pending",
124 "office.*3.*6.*5.*suspend",
125 "office365",
126 "on google docs with you",
127 "online doc",
128 "password.*compromised",
129 "periodic maintenance",
130 "potential(ly)? unauthorized",
131 "refund not approved",
132 "revised.*policy",
133 "scam",
134 "scanned.?invoice",
135 "secured?.update",
136 "security breach",
137 "securlty",
138 "signed.*delivery",
139 "status of your .{314}? ?delivery",
140 "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
141 "suspicious.*sign.*[io]n",
142 "suspicious.activit",
143 "temporar(il)?y deactivate",
144 "temporar[il1]{2}y disab[li]ed",
145 "temporarily.*lock",
146 "un-?usua[li].activity",
147 "unable.*deliver",
148 "unauthorized.*activit",
149 "unauthorized.device",
150 "unauthorized.sign.?in",
151 "unrecognized.*activit",
152 "unrecognized.sign.?in",
153 "unrecognized.*activit",
154 "undelivered message",
155 "unread.*doc",
156 "unusual.activity",
157 "upgrade.*account",
158 "upgrade.notice",
159 "urgent message",
160 "urgent.verification",
161 "v[il1]o[li1]at[il1]on security",
162 "va[il1]{1}date.*ma[il1]{2}[ -]?box",
163 "verification ?-?require",
164 "verification( )?-?need",
165 "verify.your?.account",
166 "web ?-?ma[il1]{2}",
167 "web[ -]?ma[il1]{2}",
168 "will.be.suspended",
169 "your (customer )?account .as",
170 "your.office.365",
171 "your.online.access",
172
173 // https://github.com/sublime-security/static-files/blob/main/suspicious_subjects.txt
174 "account has been limited",
175 "action required",
176 "almost full",
177 "apd notifi cation",
178 "are you at your desk",
179 "are you available",
180 "attached file to docusign",
181 "banking is temporarily unavailable",
182 "bankofamerica",
183 "closing statement invoice",
184 "completed: docusign",
185 "de-activation of",
186 "delivery attempt",
187 "delivery stopped for shipment",
188 "detected suspicious",
189 "detected suspicious actvity",
190 "docu sign",
191 "document for you",
192 "document has been sent to you via docusign",
193 "document is ready for signature",
194 "docusign",
195 "encrypted message",
196 "failed delivery",
197 "fedex tracking",
198 "file was shared",
199 "freefax",
200 "fwd: due invoice paid",
201 "has shared",
202 "inbox is full",
203 "invitation to comment",
204 "invitation to edit",
205 "invoice due",
206 "left you a message",
207 "message from",
208 "new message",
209 "new voicemail",
210 "on desk",
211 "out of space",
212 "password reset",
213 "payment status",
214 "quick reply",
215 "re: w-2",
216 "required",
217 "required: completed docusign",
218 "ringcentral",
219 "scanned image",
220 "secured files",
221 "secured pdf",
222 "security alert",
223 "new sign-in",
224 "new sign in",
225 "sign-in attempt",
226 "sign in attempt",
227 "staff review",
228 "suspicious activity",
229 "unrecognized login attempt",
230 "upgrade immediately",
231 "urgent",
232 "wants to share",
233 '\bw2\b',
234 "you have notifications pending",
235 "your account",
236 "your amazon order",
237 "your document settlement",
238 "your order with amazon",
239 "your password has been compromised",
240
241 // cryptocurrency related subjects
242 '\d{1,2}.\d{1,8}\s(BTC|ETH|SOL|(?:USD[CT])|XRP) Offer Waiting for(\sYour)?\sReview',
243 )
244
245 // language attempting to engage
246 and any(ml.nlu_classifier(body.current_thread.text).entities,
247 .name == "request"
248 )
249
250 // financial request
251 and any(ml.nlu_classifier(body.current_thread.text).entities,
252 .name == "financial"
253 )
254
255 // urgency request
256 and any(ml.nlu_classifier(body.current_thread.text).entities,
257 .name == "urgency"
258 )
259
260 // org presence
261 and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "org")
262
263 // not a reply
264 and (
265 not strings.istarts_with(subject.subject, "re:")
266 and not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
267 )
268
269 // the message is unsolicited and no false positives
270 and (
271 not profile.by_sender_email().solicited
272 or (
273 profile.by_sender().any_messages_malicious_or_spam
274 and not profile.by_sender().any_messages_benign
275 )
276 or (
277 profile.by_sender().any_messages_malicious_or_spam
278 and profile.by_sender().any_messages_benign
279 and (
280 not headers.auth_summary.dmarc.pass or not headers.auth_summary.spf.pass
281 )
282 )
283 )
284
285 // negate highly trusted sender domains unless they fail DMARC authentication
286 and (
287 (
288 sender.email.domain.root_domain in $high_trust_sender_root_domains
289 and not headers.auth_summary.dmarc.pass
290 )
291 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
292 )
293
294 // negation the only link is the senders email
295 and not (
296 regex.contains(body.current_thread.text,
297 "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
298 )
299 and (
300 all(body.links, .href_url.domain.root_domain == sender.email.domain.domain)
301 )
302 )
303attack_types:
304 - "Credential Phishing"
305tactics_and_techniques:
306 - "Impersonation: Brand"
307 - "Social engineering"
308detection_methods:
309 - "Content analysis"
310 - "Header analysis"
311 - "Natural Language Understanding"
312 - "Sender analysis"
313id: "056464f4-7a16-5f07-ab86-912e0a64ecae"