Credential phishing content and link (untrusted sender)

Message contains credential theft language and a link to a credential phishing page from an unknown sender. We use Link Analysis in aggressive mode to increase our chances of scanning.

Sublime rule (View on GitHub)

 1name: "Credential phishing content and link (untrusted sender)"
 2description: |
 3  Message contains credential theft language and a link to a credential phishing page from an unknown sender.
 4  We use Link Analysis in aggressive mode to increase our chances of scanning.  
 5type: "rule"
 6severity: "high"
 7source: |
 8  type.inbound
 9  and (
10    any(ml.nlu_classifier(body.current_thread.text).intents,
11        .name == "cred_theft" and .confidence in ("medium", "high")
12    )
13    // embedded in an image attachment
14    // note: don't use message_screenshot() for now
15    // because it's not limited to current_thread and may FP
16    or any(attachments,
17           .file_type in $file_types_images
18           and any(file.explode(.),
19                   any(ml.nlu_classifier(.scan.ocr.raw).intents,
20                       .name == "cred_theft" and .confidence in ("medium", "high")
21                   )
22           )
23    )
24  )
25  and any(body.links,
26          beta.linkanalysis(., mode="aggressive").credphish.disposition == "phishing"
27          and beta.linkanalysis(., mode="aggressive").credphish.confidence in (
28            "medium",
29            "high"
30          )
31  )
32  and (
33    (
34      profile.by_sender().prevalence in ("new", "outlier")
35      and not profile.by_sender().solicited
36    )
37    or (
38      profile.by_sender().any_messages_malicious_or_spam
39      and not profile.by_sender().any_false_positives
40    )
41  )
42  
43  // negate docusign 'via' messages
44  and not (
45    any(headers.hops,
46        any(.fields,
47            .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
48        )
49    )
50    and strings.contains(sender.display_name, "via")
51  )
52  
53  // negate docusign originated emails
54  and not any(headers.hops,
55              regex.imatch(.received.server.raw, ".+.docusign.(net|com)")
56  )
57  
58  // negate highly trusted sender domains unless they fail DMARC authentication
59  and (
60    (
61      sender.email.domain.root_domain in $high_trust_sender_root_domains
62      and (
63        any(distinct(headers.hops, .authentication_results.dmarc is not null),
64            strings.ilike(.authentication_results.dmarc, "*fail")
65        )
66      )
67    )
68    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
69  )  
70
71
72attack_types:
73  - "Credential Phishing"
74tactics_and_techniques:
75  - "Social engineering"
76detection_methods:
77  - "Computer Vision"
78  - "Sender analysis"
79  - "URL analysis"
80  - "URL screenshot"
81id: "f0c95bb7-afeb-5c8d-a654-74b5e026007f"
to-top