Link: Cloud service with credential theft language

calendar May 21, 2026  ·
Share on: linkedin copy

Detects messages impersonating cloud services that contain high-confidence credential theft language and file sharing topics. The message starts with 'Cloud' or a cloud emoji, contains links to external domains not matching the sender's domain, and lacks recipient identification entities.

Sublime rule (View on GitHub)

 1name: "Link: Cloud service with credential theft language"
 2description: "Detects messages impersonating cloud services that contain high-confidence credential theft language and file sharing topics. The message starts with 'Cloud' or a cloud emoji, contains links to external domains not matching the sender's domain, and lacks recipient identification entities."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    any([body.current_thread.text, body.html.inner_text],
 9        strings.starts_with(., 'Cloud')
10    )
11    // cloud emoji
12    or regex.contains(body.current_thread.text, '^\x{2601}')
13  )
14  and any(ml.nlu_classifier(body.current_thread.text).intents,
15          .name == 'cred_theft' and .confidence == 'high'
16  )
17  and any(ml.nlu_classifier(body.current_thread.text).topics,
18          .name in (
19            'File Sharing and Cloud Services',
20            'Payment Information',
21            'Financial Communications'
22          )
23          and .confidence != 'low'
24  )
25  // sender domain matches no body domains
26  and length(filter(body.links,
27                    .href_url.scheme != 'mailto'
28                    and .href_url.domain.root_domain is not null
29                    and .href_url.domain.root_domain != 'oracle.com'
30             )
31  ) > 0
32  and all(filter(body.links,
33                 .href_url.scheme != 'mailto'
34                 and .href_url.domain.root_domain is not null
35          ),
36          .href_url.domain.root_domain != coalesce(sender.email.domain.root_domain,
37                                                   ""
38          )
39  )
40  // negate legit cloud companies
41  and not (
42    coalesce(sender.email.domain.root_domain, "") in (
43      "cloud-cme.com",
44      "cloudcounting.online",
45      "cloudhealthtech.com",
46      "cloudpano.com"
47    )
48    // check for SPF or DMARC passed
49    and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
50  )
51  // negate highly trusted sender domains unless they fail DMARC authentication
52  and not (
53    sender.email.domain.root_domain in $high_trust_sender_root_domains
54    and coalesce(headers.auth_summary.dmarc.pass, false)
55  )
56  // negate Spark Cloud Attachments
57  and not any(headers.hops,
58              .index == 0
59              and any(.fields,
60                      .name == "X-Readdle-Spark-Cloud-Attachment"
61                      and .value is not null
62              )
63  )  
64attack_types:
65  - "Credential Phishing"
66tactics_and_techniques:
67  - "Social engineering"
68detection_methods:
69  - "Content analysis"
70  - "Natural Language Understanding"
71  - "Sender analysis"
72  - "URL analysis"
73id: "5f1395a6-e2ae-5175-ad29-5f35111219fd"
to-top