X (Twitter) Impersonation with Credential Phishing motives

This rule is designed to identify impersonation attempts by analyzing the display name or sender's local part for the solitary use of "X" provided the email doesn't originate from twitter.com or x.com. Natural Language Understanding (NLU) is used to check for credential theft requiring a medium-to-high confidence level for flagging.

Sublime rule (View on GitHub)

 1name: "X (Twitter) Impersonation with Credential Phishing motives"
 2description: |
 3  This rule is designed to identify impersonation attempts by analyzing the display name or sender's
 4  local part for the solitary use of "X" provided the email doesn't originate from twitter.com or x.com.
 5  Natural Language Understanding (NLU) is used to check for credential theft requiring a medium-to-high confidence level for flagging.  
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and sender.display_name =~ "x"
11  and sender.email.domain.root_domain not in ("twitter.com", "x.com")
12  and (
13    any(attachments,
14        .file_type in~ $file_types_images
15        and any(file.explode(.),
16                any(ml.nlu_classifier(.scan.ocr.raw).intents,
17                    .name == "cred_theft" and .confidence != "low"
18                )
19        )
20    )
21    or any(ml.nlu_classifier(body.current_thread.text).intents,
22           .name == "cred_theft" and .confidence != "low"
23    )
24  )
25
26  // sender profile is new or outlier
27  and (
28    profile.by_sender().prevalence in ("new", "outlier")
29    or (
30      profile.by_sender().any_messages_malicious_or_spam
31      and not profile.by_sender().any_false_positives
32    )
33  )
34  
35  // negate highly trusted sender domains unless they fail DMARC authentication
36  and (
37    (
38      sender.email.domain.root_domain in $high_trust_sender_root_domains
39      and not headers.auth_summary.dmarc.pass
40    )
41    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
42  )  
43attack_types:
44  - "Credential Phishing"
45tactics_and_techniques:
46  - "Impersonation: Brand"
47  - "Social engineering"
48detection_methods:
49  - "Computer Vision"
50  - "File analysis"
51  - "Header analysis"
52  - "Optical Character Recognition"
53  - "Natural Language Understanding"
54  - "Sender analysis"
55id: "0b60dca6-db2d-5718-94d8-fdbfd06bd081"
to-top