Link: Cloud service with credential theft language

 1name: "Link: Cloud service with credential theft language"
 2description: "Detects messages impersonating cloud services that contain high-confidence credential theft language and file sharing topics. The message starts with 'Cloud' or a cloud emoji, contains links to external domains not matching the sender's domain, and lacks recipient identification entities."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    strings.starts_with(body.current_thread.text, 'Cloud')
 9    // cloud emoji
10    or regex.contains(body.current_thread.text, '^\x{2601}')
11  )
12  and any(ml.nlu_classifier(body.current_thread.text).intents,
13          .name == 'cred_theft' and .confidence == 'high'
14  )
15  and any(ml.nlu_classifier(body.current_thread.text).topics,
16          .name in ('File Sharing and Cloud Services', 'Payment Information')
17          and .confidence != 'low'
18  )
19  // sender domain matches no body domains
20  and length(body.links) > 0
21  and all(body.links,
22          .href_url.domain.root_domain != coalesce(sender.email.domain.root_domain,
23                                                   ""
24          )
25  )
26  // negate legit cloud companies
27  and not (
28    sender.email.domain.root_domain in ("cloud-cme.com", "cloudcounting.online")
29    // check for SPF or DMARC passed
30    and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
31  )
32  // negate highly trusted sender domains unless they fail DMARC authentication
33  and not (
34    sender.email.domain.root_domain in $high_trust_sender_root_domains
35    and coalesce(headers.auth_summary.dmarc.pass, false)
36  )  
37attack_types:
38  - "Credential Phishing"
39tactics_and_techniques:
40  - "Social engineering"
41detection_methods:
42  - "Content analysis"
43  - "Natural Language Understanding"
44  - "Sender analysis"
45  - "URL analysis"
46id: "5f1395a6-e2ae-5175-ad29-5f35111219fd"