Impersonation: Salesforce fake campaign failure notification

 1name: "Impersonation: Salesforce fake campaign failure notification"
 2description: "Detects messages impersonating Salesforce with urgent language about failed or cancelled campaigns, containing external links from first-time senders outside legitimate Salesforce domains."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and strings.icontains(sender.display_name, "salesforce")
 8  and sender.email.domain.root_domain not in (
 9    "salesforce.com",
10    "force.com",
11    "site.com",
12    "agentforce.com"
13  )
14  and length(attachments) == 0
15  // theare are external links (not org or SF domains)
16  and length(filter(body.links,
17                    .href_url.domain.domain not in $org_domains
18                    and .href_url.domain.root_domain not in (
19                      "salesforce.com",
20                      "force.com",
21                      "site.com" // salesforce CRM 
22                    )
23             )
24  ) > 0
25  
26  and length(body.current_thread.text) <= 600
27  and strings.contains(body.current_thread.text, 'campaign'
28  )
29  and any(ml.nlu_classifier(body.current_thread.text).entities,
30          .name == "urgency" and regex.icontains(.text, "(failed|cancelled)")
31  )
32  and any(ml.nlu_classifier(body.current_thread.text).entities,
33          .name == "request"
34  )
35    
36
37attack_types:
38  - "Credential Phishing"
39tactics_and_techniques:
40  - "Impersonation: Brand"
41  - "Social engineering"
42detection_methods:
43  - "Content analysis"
44  - "Natural Language Understanding"
45  - "Sender analysis"
46  - "URL analysis"
47id: "d66000ca-1ee7-5f62-8355-0db7c44743fc"