Cloud storage impersonation with credential theft indicators

calendar May 12, 2026  ·
Share on: linkedin copy

Detects messages impersonating cloud storage services that contain hyperlinked images leading to free file hosts, where message screenshots reveal high-confidence credential theft language and storage-related urgency tactics.

Sublime rule (View on GitHub)

 1name: "Cloud storage impersonation with credential theft indicators"
 2description: "Detects messages impersonating cloud storage services that contain hyperlinked images leading to free file hosts, where message screenshots reveal high-confidence credential theft language and storage-related urgency tactics."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and 0 < length(body.current_thread.links) < 10
 8  and any([subject.subject, sender.display_name],
 9          regex.icontains(., "(?:cloud|storage|mailbox|account|system|service)")
10  )
11  and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
12          .name == "cred_theft" and .confidence == "high"
13  )
14  and not any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
15              .name == "Customer Service and Support" and .confidence == "high"
16  )
17  and regex.icontains(beta.ocr(file.message_screenshot()).text,
18                      "storage.{0,50}full",
19                      "free.{0,50}upgrade",
20                      "storage.{0,50}details",
21                      "storage.{0,50}quot",
22                      "(?:mailbox|account|cloud).{0,50}(?:at risk|storage|disabled)"
23  )
24  and not strings.ilike(beta.ocr(file.message_screenshot()).text, "*free plan*")
25  and (
26    any(body.current_thread.links,
27        // fingerprints of a hyperlinked image
28        .display_text is null
29        and .display_url.url is null
30        and .href_url.domain.domain not in $tenant_domains
31        and (
32          .href_url.domain.root_domain in $free_file_hosts
33          or .href_url.domain.root_domain in $url_shorteners
34          or network.whois(.href_url.domain).days_old < 365
35          or .href_url.domain.root_domain == "beehiiv.com"
36          or regex.icontains(.href_url.path, '^\/[a-z0-9]{20,}$')
37          or (
38            strings.icontains(.href_url.path, '.html')
39            and coalesce(.href_url.domain.root_domain, "null") != coalesce(sender.email.domain.root_domain,
40                                                                           ""
41            )
42          )
43        )
44    )
45  )
46  // and the sender is not from high trust sender root domains
47  and (
48    (
49      sender.email.domain.root_domain in $high_trust_sender_root_domains
50      and not headers.auth_summary.dmarc.pass
51    )
52    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
53  )  
54attack_types:
55  - "Credential Phishing"
56tactics_and_techniques:
57  - "Free file host"
58  - "Image as content"
59  - "Impersonation: Brand"
60  - "Social engineering"
61detection_methods:
62  - "Computer Vision"
63  - "Content analysis"
64  - "Header analysis"
65  - "Natural Language Understanding"
66  - "Optical Character Recognition"
67  - "Sender analysis"
68  - "URL analysis"
69id: "4c20f72c-0045-518c-8157-7dad5f196ecc"
to-top