X (Twitter) Impersonation with Credential Phishing motives

 1name: "X (Twitter) Impersonation with Credential Phishing motives"
 2description: |
 3  This rule is designed to identify impersonation attempts by analyzing the display name or sender's
 4  local part for the solitary use of "X" provided the email doesn't originate from twitter.com or x.com.
 5  Natural Language Understanding (NLU) is used to check for credential theft requiring a medium-to-high confidence level for flagging.  
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and sender.display_name =~ "x"
11  and sender.email.domain.root_domain not in ("twitter.com", "x.com")
12  and (
13    any(attachments,
14        .file_type in~ $file_types_images
15        and any(file.explode(.),
16                any(ml.nlu_classifier(.scan.ocr.raw).intents,
17                    .name == "cred_theft" and .confidence != "low"
18                )
19        )
20    )
21    or any(ml.nlu_classifier(body.current_thread.text).intents,
22           .name == "cred_theft" and .confidence != "low"
23    )
24  )
25
26  // sender profile is new or outlier
27  and (
28    profile.by_sender().prevalence in ("new", "outlier")
29    or (
30      profile.by_sender().any_messages_malicious_or_spam
31      and not profile.by_sender().any_false_positives
32    )
33  )
34  
35  // negate highly trusted sender domains unless they fail DMARC authentication
36  and (
37    (
38      sender.email.domain.root_domain in $high_trust_sender_root_domains
39      and not headers.auth_summary.dmarc.pass
40    )
41    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
42  )  
43attack_types:
44  - "Credential Phishing"
45tactics_and_techniques:
46  - "Impersonation: Brand"
47  - "Social engineering"
48detection_methods:
49  - "Computer Vision"
50  - "File analysis"
51  - "Header analysis"
52  - "Optical Character Recognition"
53  - "Natural Language Understanding"
54  - "Sender analysis"
55id: "0b60dca6-db2d-5718-94d8-fdbfd06bd081"