Credential phishing content and link (untrusted sender)
Message contains credential theft language and a link to a credential phishing page from an unknown sender. We use Link Analysis in aggressive mode to increase our chances of scanning.
Sublime rule (View on GitHub)
1name: "Credential phishing content and link (untrusted sender)"
2description: |
3 Message contains credential theft language and a link to a credential phishing page from an unknown sender.
4 We use Link Analysis in aggressive mode to increase our chances of scanning.
5type: "rule"
6severity: "high"
7source: |
8 type.inbound
9 and (
10 any(ml.nlu_classifier(body.current_thread.text).intents,
11 .name == "cred_theft" and .confidence in ("medium", "high")
12 )
13 // embedded in an image attachment
14 // note: don't use message_screenshot() for now
15 // because it's not limited to current_thread and may FP
16 or any(attachments,
17 .file_type in $file_types_images
18 and any(file.explode(.),
19 any(ml.nlu_classifier(.scan.ocr.raw).intents,
20 .name == "cred_theft" and .confidence in ("medium", "high")
21 )
22 )
23 )
24 )
25 and any(body.links,
26 .href_url.domain.root_domain not in ("outlook.com")
27 and .href_url.domain.domain != "play.google.com"
28 and ml.link_analysis(., mode="aggressive").effective_url.domain.domain != "play.google.com"
29 and ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
30 and ml.link_analysis(., mode="aggressive").credphish.confidence in (
31 "medium",
32 "high"
33 )
34 and not .href_url.domain.root_domain == "c3reservations.com"
35 )
36 and (
37 (
38 profile.by_sender_email().prevalence in ("new", "outlier")
39 and not profile.by_sender_email().solicited
40 )
41 or (
42 profile.by_sender_email().any_messages_malicious_or_spam
43 and not profile.by_sender_email().any_messages_benign
44 )
45 )
46
47 // negate docusign 'via' messages
48 and not (
49 any(headers.hops,
50 any(.fields,
51 .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
52 )
53 )
54 and strings.contains(sender.display_name, "via")
55 )
56
57 // negate docusign originated emails
58 and not any(headers.hops,
59 regex.imatch(.received.server.raw, ".+.docusign.(net|com)")
60 )
61
62 // negate highly trusted sender domains unless they fail DMARC authentication
63 and (
64 (
65 sender.email.domain.root_domain in $high_trust_sender_root_domains
66 and not headers.auth_summary.dmarc.pass
67 )
68 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
69 )
70
71attack_types:
72 - "Credential Phishing"
73tactics_and_techniques:
74 - "Social engineering"
75detection_methods:
76 - "Computer Vision"
77 - "Sender analysis"
78 - "URL analysis"
79 - "URL screenshot"
80id: "f0c95bb7-afeb-5c8d-a654-74b5e026007f"