Link: Cloud service with credential theft language

 1name: "Link: Cloud service with credential theft language"
 2description: "Detects messages impersonating cloud services that contain high-confidence credential theft language and file sharing topics. The message starts with 'Cloud' or a cloud emoji, contains links to external domains not matching the sender's domain, and lacks recipient identification entities."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    strings.starts_with(body.current_thread.text, 'Cloud')
 9    // cloud emoji
10    or regex.contains(body.current_thread.text, '^\x{2601}')
11  )
12  and any(ml.nlu_classifier(body.current_thread.text).intents,
13          .name == 'cred_theft' and .confidence == 'high'
14  )
15  and any(ml.nlu_classifier(body.current_thread.text).topics,
16          .name == 'File Sharing and Cloud Services' and .confidence == 'high'
17  )
18  // sender domain matches no body domains
19  and length(body.links) > 0
20  and all(body.links,
21          .href_url.domain.root_domain != sender.email.domain.root_domain
22  )
23  // negate legit cloud companies
24  and not (
25    sender.email.domain.root_domain in ("cloud-cme.com", "cloudcounting.online")
26    // check for SPF or DMARC passed
27    and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
28  )
29  // negate highly trusted sender domains unless they fail DMARC authentication
30  and not (
31    sender.email.domain.root_domain in $high_trust_sender_root_domains
32    and coalesce(headers.auth_summary.dmarc.pass, false)
33  )  
34attack_types:
35  - "Credential Phishing"
36tactics_and_techniques:
37  - "Social engineering"
38detection_methods:
39  - "Content analysis"
40  - "Natural Language Understanding"
41  - "Sender analysis"
42  - "URL analysis"
43id: "5f1395a6-e2ae-5175-ad29-5f35111219fd"