Brand impersonation: Cloud services with credential theft intent

Detects messages impersonating cloud services that contain high-confidence credential theft language and file sharing topics. The message starts with 'Cloud' or a cloud emoji or Cloud+ text, contains links to external domains not matching the sender's domain, and lacks recipient identification entities.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Cloud services with credential theft intent"
 2description: "Detects messages impersonating cloud services that contain high-confidence credential theft language and file sharing topics. The message starts with 'Cloud' or a cloud emoji or Cloud+ text, contains links to external domains not matching the sender's domain, and lacks recipient identification entities."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    any([body.current_thread.text, body.html.inner_text],
 9        strings.starts_with(., 'Cloud')
10        or strings.icontains(., "Cloud+ ")
11        or regex.icontains(., '^\x{FEFF}\s*Cloud')
12    )
13    // cloud emoji
14    or regex.contains(body.current_thread.text, '^\x{2601}')
15    or regex.icontains(body.current_thread.text, '^!\s*cloud storage')
16    // address in the body
17    or strings.icontains(body.current_thread.text,
18                         '4563 Cloud Way, Server City, CA'
19    )
20    or any(html.xpath(body.html, '//img/@alt').nodes,
21           regex.icontains(.raw, '^cloud (?:logo|storage)')
22    )
23    or regex.icontains(body.current_thread.text, 'cloud id:\s*#\d+')
24  )
25  and any(ml.nlu_classifier(body.current_thread.text).intents,
26          .name == 'cred_theft' and .confidence == 'high'
27  )
28  and any(ml.nlu_classifier(body.current_thread.text).topics,
29          .name in (
30            'File Sharing and Cloud Services',
31            'Payment Information',
32            'Financial Communications'
33          )
34          and .confidence != 'low'
35  )
36  // sender domain matches no body domains
37  and length(filter(body.links,
38                    .href_url.scheme != 'mailto'
39                    and .href_url.domain.root_domain is not null
40                    and .href_url.domain.root_domain != 'oracle.com'
41             )
42  ) > 0
43  and all(filter(body.links,
44                 .href_url.scheme != 'mailto'
45                 and .href_url.domain.root_domain is not null
46          ),
47          .href_url.domain.root_domain != coalesce(sender.email.domain.root_domain,
48                                                   ""
49          )
50  )
51  // negate legit cloud companies
52  and not (
53    coalesce(sender.email.domain.root_domain, "") in (
54      "cloud-cme.com",
55      "cloudcounting.online",
56      "cloudhealthtech.com",
57      "cloudpano.com"
58    )
59    // check for SPF or DMARC passed
60    and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
61  )
62  // negate highly trusted sender domains unless they fail DMARC authentication
63  and not (
64    sender.email.domain.root_domain in $high_trust_sender_root_domains
65    and coalesce(headers.auth_summary.dmarc.pass, false)
66  )
67  // negate Spark Cloud Attachments
68  and not any(headers.hops,
69              .index == 0
70              and any(.fields,
71                      .name == "X-Readdle-Spark-Cloud-Attachment"
72                      and .value is not null
73              )
74  )
75  and not (
76    sender.email.email == "noreply@icloud.com.cn"
77    and coalesce(headers.auth_summary.dmarc.pass, false)
78  )  
79attack_types:
80  - "Credential Phishing"
81tactics_and_techniques:
82  - "Social engineering"
83detection_methods:
84  - "Content analysis"
85  - "Natural Language Understanding"
86  - "Sender analysis"
87  - "URL analysis"
88id: "5f1395a6-e2ae-5175-ad29-5f35111219fd"
to-top