Cloud storage impersonation with credential theft indicators

Detects messages impersonating cloud storage services that contain hyperlinked images leading to free file hosts, where message screenshots reveal high-confidence credential theft language and storage-related urgency tactics.

Sublime rule (View on GitHub)

 1name: "Cloud storage impersonation with credential theft indicators"
 2description: "Detects messages impersonating cloud storage services that contain hyperlinked images leading to free file hosts, where message screenshots reveal high-confidence credential theft language and storage-related urgency tactics."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    0 < length(body.current_thread.links) < 10
 9    or length(body.current_thread.links) > 100
10  )
11  and any([subject.subject, sender.display_name],
12          regex.icontains(.,
13                          "(?:cloud|storage|mailbox|account|system|service|^data)"
14          )
15  )
16  and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
17          .name == "cred_theft" and .confidence == "high"
18  )
19  and not any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
20              .name == "Customer Service and Support" and .confidence == "high"
21  )
22  and regex.icontains(beta.ocr(file.message_screenshot()).text,
23                      "storage.{0,50}full",
24                      "free.{0,50}upgrade",
25                      "storage.{0,50}details",
26                      "storage.{0,50}quot",
27                      "(?:mailbox|account|cloud).{0,50}(?:at risk|storage|disabled)",
28                      '\d{2}%\s*capacity',
29                      "data.{0,20}(?:removal|purge|protection mode)",
30                      "billing.{0,20}suspended"
31  )
32  and not strings.ilike(beta.ocr(file.message_screenshot()).text, "*free plan*")
33  and (
34    any(body.current_thread.links,
35        // fingerprints of a hyperlinked image
36        .display_text is null
37        and .display_url.url is null
38        and .href_url.domain.domain not in $tenant_domains
39        and (
40          .href_url.domain.root_domain in $free_file_hosts
41          or .href_url.domain.root_domain in $url_shorteners
42          or network.whois(.href_url.domain).days_old < 365
43          or .href_url.domain.root_domain == "beehiiv.com"
44          or regex.icontains(.href_url.path, '^\/[a-z0-9]{20,}$')
45          or (
46            strings.icontains(.href_url.path, '.html')
47            and coalesce(.href_url.domain.root_domain, "null") != coalesce(sender.email.domain.root_domain,
48                                                                           ""
49            )
50          )
51          or "google_adservices" in .href_url.rewrite.encoders
52        )
53    )
54  )
55  // and the sender is not from high trust sender root domains
56  and (
57    (
58      sender.email.domain.root_domain in $high_trust_sender_root_domains
59      and not headers.auth_summary.dmarc.pass
60    )
61    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
62  )  
63attack_types:
64  - "Credential Phishing"
65tactics_and_techniques:
66  - "Free file host"
67  - "Image as content"
68  - "Impersonation: Brand"
69  - "Social engineering"
70detection_methods:
71  - "Computer Vision"
72  - "Content analysis"
73  - "Header analysis"
74  - "Natural Language Understanding"
75  - "Optical Character Recognition"
76  - "Sender analysis"
77  - "URL analysis"
78id: "4c20f72c-0045-518c-8157-7dad5f196ecc"
to-top