Cloud storage impersonation with credential theft indicators

calendar Sep 12, 2025  ·
Share on: linkedin copy

Detects messages impersonating cloud storage services that contain hyperlinked images leading to free file hosts, where message screenshots reveal high-confidence credential theft language and storage-related urgency tactics.

Sublime rule (View on GitHub)

 1name: "Cloud storage impersonation with credential theft indicators"
 2description: "Detects messages impersonating cloud storage services that contain hyperlinked images leading to free file hosts, where message screenshots reveal high-confidence credential theft language and storage-related urgency tactics."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and 0 < length(body.current_thread.links) < 8
 8  and any([subject.subject, sender.display_name],
 9          regex.icontains(., "(?:cloud|storage|mailbox)")
10  )
11  and any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
12          .name == "cred_theft" and .confidence == "high"
13  )
14  and regex.icontains(beta.ocr(beta.message_screenshot()).text,
15                      "storage.{0,50}full",
16                      "free.{0,50}upgrade",
17                      "storage.{0,50}details",
18                      "storage.{0,50}quot",
19                      "(?:mailbox|cloud|account).{0,50}disabled",
20                      "(?:email|cloud|total).{0,50}storage"
21  )
22  and not strings.ilike(beta.ocr(beta.message_screenshot()).text, "*free plan*")
23  and (
24    any(body.current_thread.links,
25        // fingerprints of a hyperlinked image
26        .display_text is null
27        and .display_url.url is null
28        and .href_url.domain.domain not in $tenant_domains
29        and (
30          .href_url.domain.root_domain in $free_file_hosts
31          or .href_url.domain.root_domain == "beehiiv.com"
32        )
33    )
34  )
35  
36  // and the sender is not from high trust sender root domains
37  and (
38    (
39      sender.email.domain.root_domain in $high_trust_sender_root_domains
40      and not headers.auth_summary.dmarc.pass
41    )
42    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
43  )  
44attack_types:
45  - "Credential Phishing"
46tactics_and_techniques:
47  - "Free file host"
48  - "Image as content"
49  - "Impersonation: Brand"
50  - "Social engineering"
51detection_methods:
52  - "Computer Vision"
53  - "Content analysis"
54  - "Header analysis"
55  - "Natural Language Understanding"
56  - "Optical Character Recognition"
57  - "Sender analysis"
58  - "URL analysis"
59id: "4c20f72c-0045-518c-8157-7dad5f196ecc"
to-top