X (Twitter) Impersonation with Credential Phishing motives

calendar Dec 16, 2024  ·
Share on: linkedin copy

This rule is designed to identify impersonation attempts by analyzing the display name or sender's local part for the solitary use of "X" provided the email doesn't originate from twitter.com or x.com. Natural Language Understanding (NLU) is used to check for credential theft requiring a medium-to-high confidence level for flagging.

Sublime rule (View on GitHub)

 1name: "X (Twitter) Impersonation with Credential Phishing motives"
 2description: |
 3  This rule is designed to identify impersonation attempts by analyzing the display name or sender's
 4  local part for the solitary use of "X" provided the email doesn't originate from twitter.com or x.com.
 5  Natural Language Understanding (NLU) is used to check for credential theft requiring a medium-to-high confidence level for flagging.  
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and sender.display_name =~ "x"
11  and sender.email.domain.root_domain not in ("twitter.com", "x.com")
12  and (
13    any(attachments,
14        .file_type in~ $file_types_images
15        and any(file.explode(.),
16                any(ml.nlu_classifier(.scan.ocr.raw).intents,
17                    .name == "cred_theft" and .confidence != "low"
18                )
19        )
20    )
21    or any(ml.nlu_classifier(body.current_thread.text).intents,
22           .name == "cred_theft" and .confidence != "low"
23    )
24  )
25
26  // sender profile is new or outlier
27  and (
28    profile.by_sender().prevalence in ("new", "outlier")
29    or (
30      profile.by_sender().any_messages_malicious_or_spam
31      and not profile.by_sender().any_false_positives
32    )
33    or sender.email.email in ("noreply@salesforce.com", "support@salesforce.com")
34  )
35  
36  // negate highly trusted sender domains unless they fail DMARC authentication
37  and (
38    (
39      sender.email.domain.root_domain in $high_trust_sender_root_domains
40      and not headers.auth_summary.dmarc.pass
41    )
42    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
43  
44    // salesforce has been abused for x/twitter phishing campaigns repeatedly 
45    or sender.email.domain.root_domain == "salesforce.com"
46  )  
47attack_types:
48  - "Credential Phishing"
49tactics_and_techniques:
50  - "Impersonation: Brand"
51  - "Social engineering"
52detection_methods:
53  - "Computer Vision"
54  - "File analysis"
55  - "Header analysis"
56  - "Optical Character Recognition"
57  - "Natural Language Understanding"
58  - "Sender analysis"
59id: "0b60dca6-db2d-5718-94d8-fdbfd06bd081"
to-top