Impersonation: IT Department mailbox storage alert

Detects inbound messages impersonating an internal IT Department by presenting a fake mailbox storage alert.

Sublime rule (View on GitHub)

 1name: "Impersonation: IT Department mailbox storage alert"
 2description: "Detects inbound messages impersonating an internal IT Department by presenting a fake mailbox storage alert."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and strings.contains(body.current_thread.text, 'MAILBOX STORAGE ALERT')
 8  and all([
 9            'Clean Inbox',
10            'Storage Guide',
11            'Empty Deleted Items',
12            'Clean Mailbox Now',
13            'Contact IT Support'
14          ],
15          . in map(html.xpath(body.html, '//a').nodes, .display_text)
16  )
17  and any(body.previous_threads,
18          strings.contains(.text, 'IT Department')
19          and strings.contains(.text, 'call ext. 5555')
20  )  
21attack_types:
22  - "Credential Phishing"
23tactics_and_techniques:
24  - "Impersonation: Employee"
25  - "Social engineering"
26  - "Out of band pivot"
27detection_methods:
28  - "Content analysis"
29id: "1a1753f3-4658-59bc-9e28-0c8ed6e87e9a"
to-top