Cloud storage impersonation with credential theft indicators
Detects messages impersonating cloud storage services that contain hyperlinked images leading to free file hosts, where message screenshots reveal high-confidence credential theft language and storage-related urgency tactics.
Sublime rule (View on GitHub)
1name: "Cloud storage impersonation with credential theft indicators"
2description: "Detects messages impersonating cloud storage services that contain hyperlinked images leading to free file hosts, where message screenshots reveal high-confidence credential theft language and storage-related urgency tactics."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 0 < length(body.current_thread.links) < 10
9 or length(body.current_thread.links) > 100
10 )
11 and any([subject.subject, sender.display_name],
12 regex.icontains(.,
13 "(?:cloud|storage|mailbox|account|system|service|^data)"
14 )
15 )
16 and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
17 .name == "cred_theft" and .confidence == "high"
18 )
19 and not any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
20 .name == "Customer Service and Support" and .confidence == "high"
21 )
22 and regex.icontains(beta.ocr(file.message_screenshot()).text,
23 "storage.{0,50}full",
24 "free.{0,50}upgrade",
25 "storage.{0,50}details",
26 "storage.{0,50}quot",
27 "(?:mailbox|account|cloud).{0,50}(?:at risk|storage|disabled)",
28 '\d{2}%\s*capacity',
29 "data.{0,20}(?:removal|purge|protection mode)",
30 "billing.{0,20}suspended"
31 )
32 and not strings.ilike(beta.ocr(file.message_screenshot()).text, "*free plan*")
33 and (
34 any(body.current_thread.links,
35 // fingerprints of a hyperlinked image
36 .display_text is null
37 and .display_url.url is null
38 and .href_url.domain.domain not in $tenant_domains
39 and (
40 .href_url.domain.root_domain in $free_file_hosts
41 or .href_url.domain.root_domain in $url_shorteners
42 or network.whois(.href_url.domain).days_old < 365
43 or .href_url.domain.root_domain == "beehiiv.com"
44 or regex.icontains(.href_url.path, '^\/[a-z0-9]{20,}$')
45 or (
46 strings.icontains(.href_url.path, '.html')
47 and coalesce(.href_url.domain.root_domain, "null") != coalesce(sender.email.domain.root_domain,
48 ""
49 )
50 )
51 or "google_adservices" in .href_url.rewrite.encoders
52 )
53 )
54 )
55 // and the sender is not from high trust sender root domains
56 and (
57 (
58 sender.email.domain.root_domain in $high_trust_sender_root_domains
59 and not headers.auth_summary.dmarc.pass
60 )
61 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
62 )
63attack_types:
64 - "Credential Phishing"
65tactics_and_techniques:
66 - "Free file host"
67 - "Image as content"
68 - "Impersonation: Brand"
69 - "Social engineering"
70detection_methods:
71 - "Computer Vision"
72 - "Content analysis"
73 - "Header analysis"
74 - "Natural Language Understanding"
75 - "Optical Character Recognition"
76 - "Sender analysis"
77 - "URL analysis"
78id: "4c20f72c-0045-518c-8157-7dad5f196ecc"