Impersonation: Salesforce fake campaign failure notification
Detects messages impersonating Salesforce with urgent language about failed or cancelled campaigns, containing external links from first-time senders outside legitimate Salesforce domains.
Sublime rule (View on GitHub)
1name: "Impersonation: Salesforce fake campaign failure notification"
2description: "Detects messages impersonating Salesforce with urgent language about failed or cancelled campaigns, containing external links from first-time senders outside legitimate Salesforce domains."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and strings.icontains(sender.display_name, "salesforce")
8 and sender.email.domain.root_domain not in (
9 "salesforce.com",
10 "force.com",
11 "site.com",
12 "agentforce.com"
13 )
14 and length(attachments) == 0
15 // theare are external links (not org or SF domains)
16 and length(filter(body.links,
17 .href_url.domain.domain not in $org_domains
18 and .href_url.domain.root_domain not in (
19 "salesforce.com",
20 "force.com",
21 "site.com" // salesforce CRM
22 )
23 )
24 ) > 0
25
26 and length(body.current_thread.text) <= 600
27 and strings.contains(body.current_thread.text, 'campaign'
28 )
29 and any(ml.nlu_classifier(body.current_thread.text).entities,
30 .name == "urgency" and regex.icontains(.text, "(failed|cancelled)")
31 )
32 and any(ml.nlu_classifier(body.current_thread.text).entities,
33 .name == "request"
34 )
35
36
37attack_types:
38 - "Credential Phishing"
39tactics_and_techniques:
40 - "Impersonation: Brand"
41 - "Social engineering"
42detection_methods:
43 - "Content analysis"
44 - "Natural Language Understanding"
45 - "Sender analysis"
46 - "URL analysis"
47id: "d66000ca-1ee7-5f62-8355-0db7c44743fc"