Impersonation: IT Department mailbox storage alert
Detects inbound messages impersonating an internal IT Department by presenting a fake mailbox storage alert.
Sublime rule (View on GitHub)
1name: "Impersonation: IT Department mailbox storage alert"
2description: "Detects inbound messages impersonating an internal IT Department by presenting a fake mailbox storage alert."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and strings.contains(body.current_thread.text, 'MAILBOX STORAGE ALERT')
8 and all([
9 'Clean Inbox',
10 'Storage Guide',
11 'Empty Deleted Items',
12 'Clean Mailbox Now',
13 'Contact IT Support'
14 ],
15 . in map(html.xpath(body.html, '//a').nodes, .display_text)
16 )
17 and any(body.previous_threads,
18 strings.contains(.text, 'IT Department')
19 and strings.contains(.text, 'call ext. 5555')
20 )
21attack_types:
22 - "Credential Phishing"
23tactics_and_techniques:
24 - "Impersonation: Employee"
25 - "Social engineering"
26 - "Out of band pivot"
27detection_methods:
28 - "Content analysis"
29id: "1a1753f3-4658-59bc-9e28-0c8ed6e87e9a"