X (Twitter) Impersonation with Credential Phishing motives
This rule is designed to identify impersonation attempts by analyzing the display name or sender's local part for the solitary use of "X" provided the email doesn't originate from twitter.com or x.com. Natural Language Understanding (NLU) is used to check for credential theft requiring a medium-to-high confidence level for flagging.
Sublime rule (View on GitHub)
1name: "X (Twitter) Impersonation with Credential Phishing motives"
2description: |
3 This rule is designed to identify impersonation attempts by analyzing the display name or sender's
4 local part for the solitary use of "X" provided the email doesn't originate from twitter.com or x.com.
5 Natural Language Understanding (NLU) is used to check for credential theft requiring a medium-to-high confidence level for flagging.
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and sender.display_name =~ "x"
11 and sender.email.domain.root_domain not in ("twitter.com", "x.com")
12 and (
13 any(attachments,
14 .file_type in~ $file_types_images
15 and any(file.explode(.),
16 any(ml.nlu_classifier(.scan.ocr.raw).intents,
17 .name == "cred_theft" and .confidence != "low"
18 )
19 )
20 )
21 or any(ml.nlu_classifier(body.current_thread.text).intents,
22 .name == "cred_theft" and .confidence != "low"
23 )
24 )
25
26 // sender profile is new or outlier
27 and (
28 profile.by_sender().prevalence in ("new", "outlier")
29 or (
30 profile.by_sender().any_messages_malicious_or_spam
31 and not profile.by_sender().any_false_positives
32 )
33 )
34
35 // negate highly trusted sender domains unless they fail DMARC authentication
36 and (
37 (
38 sender.email.domain.root_domain in $high_trust_sender_root_domains
39 and not headers.auth_summary.dmarc.pass
40 )
41 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
42 )
43attack_types:
44 - "Credential Phishing"
45tactics_and_techniques:
46 - "Impersonation: Brand"
47 - "Social engineering"
48detection_methods:
49 - "Computer Vision"
50 - "File analysis"
51 - "Header analysis"
52 - "Optical Character Recognition"
53 - "Natural Language Understanding"
54 - "Sender analysis"
55id: "0b60dca6-db2d-5718-94d8-fdbfd06bd081"