Fake thread with suspicious indicators
Fake thread contains suspicious indicators, which can lead to BEC, credential phishing, and other undesirable outcomes.
Sublime rule (View on GitHub)
1name: "Fake thread with suspicious indicators"
2description: "Fake thread contains suspicious indicators, which can lead to BEC, credential phishing, and other undesirable outcomes."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // fake thread check
8 and (
9 (
10 (
11 strings.istarts_with(subject.subject, "RE:")
12 or strings.istarts_with(subject.subject, "FW:")
13 or strings.istarts_with(subject.subject, "FWD:")
14 )
15 and (
16 (length(headers.references) == 0 and headers.in_reply_to is null)
17 or not any(headers.hops,
18 any(.fields, strings.ilike(.name, "In-Reply-To"))
19 )
20 )
21 )
22 // fake thread, but no indication in the subject line
23 // current_thread pulls the recent thread, but the full body contains the fake "original" email
24 or (
25 not (
26 (
27 strings.istarts_with(subject.subject, "RE:")
28 or strings.istarts_with(subject.subject, "FWD:")
29 )
30 )
31 and 3 of (
32 strings.icontains(body.html.display_text, "from:"),
33 strings.icontains(body.html.display_text, "to:"),
34 strings.icontains(body.html.display_text, "sent:"),
35 strings.icontains(body.html.display_text, "subject:")
36 )
37 and (
38 length(body.current_thread.text)+100 < length(body.html.display_text)
39 )
40 //negating bouncebacks
41 and not any(attachments,
42 .content_type in ("message/delivery-status", "message/rfc822")
43 )
44 )
45 )
46
47 // unusual sender (email address rarely sends to your organization)
48 and profile.by_sender().prevalence in ("new", "outlier", "rare")
49 and 4 of (
50 // language attempting to engage
51 (
52 any(ml.nlu_classifier(body.current_thread.text).entities,
53 .name == "request"
54 )
55 and any(ml.nlu_classifier(body.current_thread.text).entities,
56 .name == "financial"
57 )
58 ),
59
60 // invoicing language
61 any(ml.nlu_classifier(body.current_thread.text).tags, .name == "invoice"),
62
63 // urgency request
64 any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency"),
65
66 // cred_theft detection
67 any(ml.nlu_classifier(body.current_thread.text).intents,
68 .name == "cred_theft" and .confidence in~ ("medium", "high")
69 ),
70
71 // commonly abused sender TLD
72 strings.ilike(sender.email.domain.tld, "*.jp"),
73
74 // headers traverse abused TLD
75 any(headers.domains, strings.ilike(.tld, "*.jp")),
76
77 // known suspicious pattern in the URL path
78 any(body.links, regex.match(.href_url.path, '\/[a-z]{3}\d[a-z]')),
79
80 // link display text is in all caps
81 any(body.links, regex.match(.display_text, '[A-Z ]+')),
82
83 // display name contains an email
84 regex.contains(sender.display_name, '[a-z0-9]+@[a-z]+'),
85
86 // Sender domain is empty
87 sender.email.domain.domain == "",
88
89 // sender domain matches no body domains
90 all(body.links,
91 .href_url.domain.root_domain != sender.email.domain.root_domain
92 ),
93
94 // new body domain
95 any(body.links, network.whois(.href_url.domain).days_old < 30),
96
97 // new sender domain
98 network.whois(sender.email.domain).days_old < 30,
99
100 // new sender
101 profile.by_sender().days_known < 7
102 )
103
104 // negate highly trusted sender domains unless they fail DMARC authentication
105 and (
106 (
107 sender.email.domain.root_domain in $high_trust_sender_root_domains
108 and not headers.auth_summary.dmarc.pass
109 )
110 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
111 )
112 and not profile.by_sender().any_false_positives
113
114tags:
115 - "Attack surface reduction"
116attack_types:
117 - "BEC/Fraud"
118 - "Credential Phishing"
119 - "Spam"
120tactics_and_techniques:
121 - "Evasion"
122 - "Social engineering"
123detection_methods:
124 - "Content analysis"
125 - "Header analysis"
126 - "Natural Language Understanding"
127 - "Sender analysis"
128id: "c2e18a57-1f52-544f-bb6d-a578e286cf89"