Fake thread with suspicious indicators

Fake thread contains suspicious indicators, which can lead to BEC, credential phishing, and other undesirable outcomes.

Sublime rule (View on GitHub)

  1name: "Fake thread with suspicious indicators"
  2description: "Fake thread contains suspicious indicators, which can lead to BEC, credential phishing, and other undesirable outcomes."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  // fake thread check
  8  and (
  9    (
 10      (
 11        strings.istarts_with(subject.subject, "RE:")
 12        or strings.istarts_with(subject.subject, "FW:")
 13        or strings.istarts_with(subject.subject, "FWD:")
 14      )
 15      and (
 16        (length(headers.references) == 0 and headers.in_reply_to is null)
 17        or not any(headers.hops,
 18                   any(.fields, strings.ilike(.name, "In-Reply-To"))
 19        )
 20      )
 21    )
 22    // fake thread, but no indication in the subject line
 23    // current_thread pulls the recent thread, but the full body contains the fake "original" email
 24    or (
 25      not (
 26        (
 27          strings.istarts_with(subject.subject, "RE:")
 28          or strings.istarts_with(subject.subject, "FWD:")
 29        )
 30      )
 31      and 3 of (
 32        strings.icontains(body.html.display_text, "from:"),
 33        strings.icontains(body.html.display_text, "to:"),
 34        strings.icontains(body.html.display_text, "sent:"),
 35        strings.icontains(body.html.display_text, "subject:")
 36      )
 37      and (
 38        strings.ilevenshtein(body.current_thread.text, body.html.display_text) > 100
 39      )
 40      //negating bouncebacks
 41      and not any(attachments,
 42                  .content_type in ("message/delivery-status", "message/rfc822")
 43      )
 44    )
 45  )
 46  
 47  // unusual sender (email address rarely sends to your organization)
 48  and profile.by_sender().prevalence in ("new", "outlier", "rare")
 49  and 4 of (
 50    // language attempting to engage
 51    (
 52      any(ml.nlu_classifier(body.current_thread.text).entities,
 53          .name == "request"
 54      )
 55      and any(ml.nlu_classifier(body.current_thread.text).entities,
 56              .name == "financial"
 57      )
 58    ),
 59  
 60    // invoicing language
 61    any(ml.nlu_classifier(body.current_thread.text).tags, .name == "invoice"),
 62  
 63    // urgency request
 64    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency"),
 65  
 66    // cred_theft detection
 67    any(ml.nlu_classifier(body.current_thread.text).intents,
 68        .name == "cred_theft" and .confidence in~ ("medium", "high")
 69    ),
 70  
 71    // commonly abused sender TLD
 72    strings.ilike(sender.email.domain.tld, "*.jp"),
 73  
 74    // headers traverse abused TLD
 75    any(headers.domains, strings.ilike(.tld, "*.jp")),
 76  
 77    // known suspicious pattern in the URL path
 78    any(body.links, regex.match(.href_url.path, '\/[a-z]{3}\d[a-z]')),
 79  
 80    // link display text is in all caps
 81    any(body.links, regex.match(.display_text, '[A-Z ]+')),
 82  
 83    // display name contains an email
 84    regex.contains(sender.display_name, '[a-z0-9]+@[a-z]+'),
 85  
 86    // Sender domain is empty
 87    sender.email.domain.domain == "",
 88  
 89    // sender domain matches no body domains
 90    all(body.links,
 91        .href_url.domain.root_domain != sender.email.domain.root_domain
 92    ),
 93  
 94    // new body domain
 95    any(body.links, beta.whois(.href_url.domain).days_old < 30),
 96  
 97    // new sender domain
 98    beta.whois(sender.email.domain).days_old < 30,
 99  
100    // new sender
101    profile.by_sender().days_known < 7
102  )
103  
104  // negate highly trusted sender domains unless they fail DMARC authentication
105  and (
106    (
107      sender.email.domain.root_domain in $high_trust_sender_root_domains
108      and (
109        any(distinct(headers.hops, .authentication_results.dmarc is not null),
110            strings.ilike(.authentication_results.dmarc, "*fail")
111        )
112      )
113    )
114    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
115  )
116  and not profile.by_sender().any_false_positives  
117
118tags:
119  - "Attack surface reduction"
120attack_types:
121  - "BEC/Fraud"
122  - "Credential Phishing"
123  - "Spam"
124tactics_and_techniques:
125  - "Evasion"
126  - "Social engineering"
127detection_methods:
128  - "Content analysis"
129  - "Header analysis"
130  - "Natural Language Understanding"
131  - "Sender analysis"
132id: "c2e18a57-1f52-544f-bb6d-a578e286cf89"

Related rules

to-top