Brand impersonation: Cloud services with credential theft intent

calendar Jun 9, 2026  ·
Share on: linkedin copy

Detects messages impersonating cloud services that contain high-confidence credential theft language and file sharing topics. The message starts with 'Cloud' or a cloud emoji or Cloud+ text, contains links to external domains not matching the sender's domain, and lacks recipient identification entities.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Cloud services with credential theft intent"
 2description: "Detects messages impersonating cloud services that contain high-confidence credential theft language and file sharing topics. The message starts with 'Cloud' or a cloud emoji or Cloud+ text, contains links to external domains not matching the sender's domain, and lacks recipient identification entities."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    any([body.current_thread.text, body.html.inner_text],
 9        strings.starts_with(., 'Cloud') or strings.icontains(., "Cloud+ ")
10    )
11    // cloud emoji
12    or regex.contains(body.current_thread.text, '^\x{2601}')
13    or regex.icontains(body.current_thread.text, '^!\s*Cloud storage')
14    // address in the body
15    or strings.icontains(body.current_thread.text,
16                         '4563 Cloud Way, Server City, CA'
17    )
18  )
19  and any(ml.nlu_classifier(body.current_thread.text).intents,
20          .name == 'cred_theft' and .confidence == 'high'
21  )
22  and any(ml.nlu_classifier(body.current_thread.text).topics,
23          .name in (
24            'File Sharing and Cloud Services',
25            'Payment Information',
26            'Financial Communications'
27          )
28          and .confidence != 'low'
29  )
30  // sender domain matches no body domains
31  and length(filter(body.links,
32                    .href_url.scheme != 'mailto'
33                    and .href_url.domain.root_domain is not null
34                    and .href_url.domain.root_domain != 'oracle.com'
35             )
36  ) > 0
37  and all(filter(body.links,
38                 .href_url.scheme != 'mailto'
39                 and .href_url.domain.root_domain is not null
40          ),
41          .href_url.domain.root_domain != coalesce(sender.email.domain.root_domain,
42                                                   ""
43          )
44  )
45  // negate legit cloud companies
46  and not (
47    coalesce(sender.email.domain.root_domain, "") in (
48      "cloud-cme.com",
49      "cloudcounting.online",
50      "cloudhealthtech.com",
51      "cloudpano.com"
52    )
53    // check for SPF or DMARC passed
54    and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
55  )
56  // negate highly trusted sender domains unless they fail DMARC authentication
57  and not (
58    sender.email.domain.root_domain in $high_trust_sender_root_domains
59    and coalesce(headers.auth_summary.dmarc.pass, false)
60  )
61  // negate Spark Cloud Attachments
62  and not any(headers.hops,
63              .index == 0
64              and any(.fields,
65                      .name == "X-Readdle-Spark-Cloud-Attachment"
66                      and .value is not null
67              )
68  )
69  and not (
70    sender.email.email == "noreply@icloud.com.cn"
71    and coalesce(headers.auth_summary.dmarc.pass, false)
72  )  
73attack_types:
74  - "Credential Phishing"
75tactics_and_techniques:
76  - "Social engineering"
77detection_methods:
78  - "Content analysis"
79  - "Natural Language Understanding"
80  - "Sender analysis"
81  - "URL analysis"
82id: "5f1395a6-e2ae-5175-ad29-5f35111219fd"
to-top