Impersonation: Salesforce fake campaign failure notification

 1name: "Impersonation: Salesforce fake campaign failure notification"
 2description: "Detects messages impersonating Salesforce with urgent language about failed or cancelled campaigns, containing external links from first-time senders outside legitimate Salesforce domains."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and strings.icontains(sender.display_name, "salesforce")
 8  and sender.email.domain.root_domain not in (
 9    "salesforce.com",
10    "force.com",
11    "site.com",
12    "agentforce.com"
13  )
14  and length(attachments) == 0
15  // theare are external links (not org or SF domains)
16  and length(filter(body.links,
17                    .href_url.domain.domain not in $org_domains
18                    and .href_url.domain.root_domain not in (
19                      "salesforce.com",
20                      "force.com",
21                      "site.com" // salesforce CRM 
22                    )
23             )
24  ) > 0
25  and length(body.current_thread.text) <= 600
26  and strings.contains(body.current_thread.text, 'campaign')
27  and any(ml.nlu_classifier(body.current_thread.text).entities,
28          .name == "urgency" and regex.icontains(.text, "(failed|cancelled)")
29  )
30  and any(ml.nlu_classifier(body.current_thread.text).entities,
31          .name == "request"
32  )  
33attack_types:
34  - "Credential Phishing"
35tactics_and_techniques:
36  - "Impersonation: Brand"
37  - "Social engineering"
38detection_methods:
39  - "Content analysis"
40  - "Natural Language Understanding"
41  - "Sender analysis"
42  - "URL analysis"
43id: "d66000ca-1ee7-5f62-8355-0db7c44743fc"