Credential phishing: Engaging language and other indicators (untrusted sender)
Message contains various suspicious indicators as well as engaging language resembling credential theft from an untrusted sender.
Sublime rule (View on GitHub)
1name: "Credential phishing: Engaging language and other indicators (untrusted sender)"
2description: |
3 Message contains various suspicious indicators as well as engaging language resembling credential theft from an untrusted sender.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and (
9 regex.icontains(subject.subject,
10 "termination.*notice",
11 "38417",
12 ":completed",
13 "[il1]{2}mit.*ma[il1]{2} ?bo?x",
14 "[il][il][il]egai[ -]",
15 "[li][li][li]ega[li] attempt",
16 "[ng]-?[io]n .*block",
17 "[ng]-?[io]n .*cancel",
18 "[ng]-?[io]n .*deactiv",
19 "[ng]-?[io]n .*disabl",
20 "action.*required",
21 "abandon.*package",
22 "about.your.account",
23 "acc(ou)?n?t (is )?on ho[li]d",
24 "acc(ou)?n?t.*terminat",
25 "acc(oun)?t.*[il1]{2}mitation",
26 "access.*limitation",
27 "account (will be )?block",
28 "account.*de-?activat",
29 "account.*locked",
30 "account.*re-verification",
31 "account.*security",
32 "account.*suspension",
33 "account.has.expired",
34 "account.will.be.blocked",
35 "account v[il]o[li]at",
36 "activity.*acc(oun)?t",
37 "almost.full",
38 "app[li]e.[il]d",
39 "authenticate.*account",
40 "been.*suspend",
41 "crediential.*notif",
42 "clos.*of.*account.*processed",
43 "confirm.your.account",
44 "courier.*able",
45 "crediential.*notif",
46 "deactivation.*in.*progress",
47 "delivery.*attempt.*failed",
48 "disconnection.*notice",
49 "document.received",
50 "documented.*shared.*with.*you",
51 "dropbox.*document",
52 "e-?ma[il1]+ .{010}suspen",
53 "e-?ma[il1]{1} user",
54 "e-?ma[il1]{2} acc",
55 "e-?ma[il1]{2}.*up.?grade",
56 "e.?ma[il1]{2}.*server",
57 "e.?ma[il1]{2}.*suspend",
58 "email.update",
59 "faxed you",
60 "fraud(ulent)?.*charge",
61 "from.helpdesk",
62 "fu[il1]{2}.*ma[il1]+[ -]?box",
63 "has.been.*suspended",
64 "has.been.limited",
65 "have.locked",
66 "he[li]p ?desk upgrade",
67 "heipdesk",
68 "i[il]iega[il]",
69 "ii[il]ega[il]",
70 "incoming e?mail",
71 "incoming.*fax",
72 "lock.*security",
73 "ma[il1]{1}[ -]?box.*quo",
74 "ma[il1]{2}[ -]?box.*fu[il1]",
75 "ma[il1]{2}box.*[il1]{2}mit",
76 "ma[il1]{2}box stor",
77 "mail on.?hold",
78 "mail.*box.*migration",
79 "mail.*de-?activat",
80 "mail.update.required",
81 "mails.*pending",
82 "messages.*pending",
83 "missed.*shipping.*notification",
84 "missed.shipment.notification",
85 "must.update.your.account",
86 "new [sl][io]g?[nig][ -]?in from",
87 "new voice ?-?mail",
88 "notifications.*pending",
89 "office.*3.*6.*5.*suspend",
90 "office365",
91 "on google docs with you",
92 "online doc",
93 "password.*compromised",
94 "periodic maintenance",
95 "potential(ly)? unauthorized",
96 "refund not approved",
97 "report",
98 "revised.*policy",
99 "scam",
100 "scanned.?invoice",
101 "secured?.update",
102 "security breach",
103 "securlty",
104 "signed.*delivery",
105 "status of your .{314}? ?delivery",
106 "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
107 "suspicious.*sign.*[io]n",
108 "suspicious.activit",
109 "temporar(il)?y deactivate",
110 "temporar[il1]{2}y disab[li]ed",
111 "temporarily.*lock",
112 "un-?usua[li].activity",
113 "unable.*deliver",
114 "unauthorized.*activit",
115 "unauthorized.device",
116 "undelivered message",
117 "unread.*doc",
118 "unusual.activity",
119 "upgrade.*account",
120 "upgrade.notice",
121 "urgent message",
122 "urgent.verification",
123 "v[il1]o[li1]at[il1]on security",
124 "va[il1]{1}date.*ma[il1]{2}[ -]?box",
125 "verification ?-?require",
126 "verification( )?-?need",
127 "verify.your?.account",
128 "web ?-?ma[il1]{2}",
129 "web[ -]?ma[il1]{2}",
130 "will.be.suspended",
131 "your (customer )?account .as",
132 "your.office.365",
133 "your.online.access",
134 "de.activation",
135 // https://github.com/sublime-security/static-files/blob/master/suspicious_subjects.txt
136 "account has been limited",
137 "action required",
138 "almost full",
139 "apd notifi cation",
140 "are you at your desk",
141 "are you available",
142 "attached file to docusign",
143 "banking is temporarily unavailable",
144 "bankofamerica",
145 "closing statement invoice",
146 "completed: docusign",
147 "de-activation of",
148 "delivery attempt",
149 "delivery stopped for shipment",
150 "detected suspicious",
151 "detected suspicious actvity",
152 "docu sign",
153 "document for you",
154 "document has been sent to you via docusign",
155 "document is ready for signature",
156 "docusign",
157 "encrypted message",
158 "failed delivery",
159 "fedex tracking",
160 "file was shared",
161 "freefax",
162 "fwd: due invoice paid",
163 "has shared",
164 "inbox is full",
165 "invitation to comment",
166 "invitation to edit",
167 "invoice due",
168 "left you a message",
169 "message from",
170 "new message",
171 "new voicemail",
172 "on desk",
173 "out of space",
174 "password reset",
175 "payment status",
176 "pay notification",
177 "quick reply",
178 "re: w-2",
179 "required",
180 "required: completed docusign",
181 "remittance",
182 "ringcentral",
183 "scanned image",
184 "secured files",
185 "secured pdf",
186 "security alert",
187 "new sign-in",
188 "new sign in",
189 "sign-in attempt",
190 "sign in attempt",
191 "staff review",
192 "suspicious activity",
193 "unrecognized login attempt",
194 "unusual signin",
195 "upgrade immediately",
196 "urgent",
197 "wants to share",
198 "w2",
199 "you have notifications pending",
200 "your account",
201 "your amazon order",
202 "your document settlement",
203 "your order with amazon",
204 "your password has been compromised",
205 )
206 or (
207 regex.icontains(subject.subject, 'account.has.been')
208 and not regex.icontains(subject.subject, 'account.has.been.*created')
209 )
210 or (
211 regex.icontains(sender.display_name,
212 "Admin",
213 "Administrator",
214 "Alert",
215 "Assistant",
216 "Authenticat(or|ion)",
217 "Billing",
218 "Benefits",
219 "Bonus",
220 "CEO",
221 "CFO",
222 "CIO",
223 "CTO",
224 "Chairman",
225 "Claim",
226 "Confirm",
227 "Cpanel Mail",
228 "Critical",
229 "Customer Service",
230 "Deal",
231 "Discount",
232 "Director",
233 "Exclusive",
234 "Executive",
235 "Fax",
236 "Free",
237 "Gift",
238 '\bHR\b',
239 "Helpdesk",
240 "Human Resources",
241 "Immediate",
242 "Important",
243 "Info",
244 "Information",
245 "Invoice",
246 '\bIT\b',
247 '\bLegal\b',
248 "Lottery",
249 "Management",
250 "Manager",
251 "Member Services",
252 "Notification",
253 "Offer",
254 "Operations",
255 "Order",
256 "Partner",
257 "Payment",
258 "Payroll",
259 "Postmaster",
260 "President",
261 "Premium",
262 "Prize",
263 "Receipt",
264 "Refund",
265 "Registrar",
266 "Required",
267 "Reward",
268 "Sales",
269 "Secretary",
270 "Security",
271 "Service",
272 "Storage",
273 "Support",
274 "Sweepstakes",
275 "System",
276 "Tax",
277 "Tech Support",
278 "Update",
279 "Upgrade",
280 "Urgent",
281 "Validate",
282 "Verify",
283 "VIP",
284 "Webmaster",
285 "Winner",
286 )
287 // add negation for common FPs in the sender display_name
288 and not strings.icontains(sender.display_name, "service bulletin")
289 and not strings.icontains(sender.display_name, "automotive service")
290
291 )
292 )
293 and (
294 4 of (
295 any(recipients.to,
296 .email.domain.valid
297 and (
298 strings.icontains(body.current_thread.text, .email.email)
299 or strings.icontains(body.current_thread.text, .email.local_part)
300 )
301 ),
302 any(ml.nlu_classifier(body.current_thread.text).intents,
303 .name == "cred_theft" and .confidence in ("medium", "high")
304 ),
305 any(ml.nlu_classifier(body.current_thread.text).entities,
306 .name == "request"
307 ),
308 (
309 // freemail providers should never be sending this type of email
310 sender.email.domain.domain in $free_email_providers
311
312 // if not freemail, it's suspicious if the sender's root domain
313 // doesn't match any links in the body
314 or all(body.links,
315 .href_url.domain.root_domain != sender.email.domain.root_domain
316 and .href_url.domain.root_domain not in $org_domains
317 )
318 ),
319 // in case it's embedded in an image attachment
320 // note: don't use message_screenshot() because it's not limited to current_thread
321 // and may FP
322 any(attachments,
323 .file_type in $file_types_images
324 and any(file.explode(.),
325 any(ml.nlu_classifier(.scan.ocr.raw).intents,
326 .name == "cred_theft" and .confidence == "high"
327 )
328 )
329 ),
330 strings.contains(body.current_thread.text,
331 "Your mailbox can no longer send or receive messages."
332 ),
333 any(body.links,
334 strings.icontains(.href_url.query_params, 'redirect')
335 or any(.href_url.rewrite.encoders,
336 strings.icontains(., "open_redirect")
337 )
338 ),
339 // multiple entities displaying urgency
340 length(filter(ml.nlu_classifier(body.current_thread.text).entities,
341 .name == "urgency"
342 )
343 ) >= 2
344 // and any body links
345 and any(body.links,
346 // display text contains a request
347 any(ml.nlu_classifier(.display_text).entities, .name == "request")
348 )
349 )
350 or (
351 (
352 // recipient's email address is in the body
353 any(recipients.to,
354 // use count to ensure the email address is not part of a disclaimer
355 strings.icount(body.current_thread.text, .email.email) >
356 // sum allows us to add more logic as needed
357 sum([
358 strings.icount(body.current_thread.text,
359 strings.concat('was sent to ', .email.email)
360 ),
361 strings.icount(body.current_thread.text,
362 strings.concat('intended for ', .email.email)
363 )
364 ]
365 )
366 )
367 // suspicious display text
368 or (
369 length(body.links) == 1
370 and all(body.links, strings.ilike(.display_text, "*click here*", "*password*"))
371 )
372 )
373 // link leads to a suspicious TLD or contains an IP address or contains multiple redirects
374 and any(body.links,
375 (
376 ml.link_analysis(., mode="aggressive").effective_url.domain.tld in $suspicious_tlds
377 or length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history, .domain.root_domain))) >= 4
378 or (
379 any(body.ips,
380 any(body.links, strings.icontains(.href_url.url, ..ip))
381 )
382 )
383 )
384 )
385 )
386 )
387 // exclude Google shared calendar messages
388 // Subject: "<sender name> has shared a calendar with you"
389 and headers.return_path.domain.domain != "calendar-server.bounces.google.com"
390 // negate calendar invites
391 and not (
392 0 < length(attachments) < 3
393 and all(attachments, .content_type in ("text/calendar", "application/ics"))
394 )
395 // negate replies
396 and (
397 (
398 (
399 length(headers.references) > 0
400 or not any(headers.hops,
401 any(.fields, strings.ilike(.name, "In-Reply-To"))
402 )
403 )
404 and not (
405 (
406 strings.istarts_with(subject.subject, "RE:")
407 or strings.istarts_with(subject.subject, "R:")
408 or strings.istarts_with(subject.subject, "ODG:")
409 or strings.istarts_with(subject.subject, "答复:")
410 or strings.istarts_with(subject.subject, "AW:")
411 or strings.istarts_with(subject.subject, "TR:")
412 or strings.istarts_with(subject.subject, "FWD:")
413 or regex.icontains(subject.subject,
414 '^(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:'
415 )
416 )
417 )
418 )
419 or length(headers.references) == 0
420 )
421 // bounce-back negations
422 and not (
423 strings.like(sender.email.local_part,
424 "*postmaster*",
425 "*mailer-daemon*",
426 "*administrator*"
427 )
428 and any(attachments,
429 .content_type in (
430 "message/rfc822",
431 "message/delivery-status",
432 "text/calendar"
433 )
434 )
435 )
436 and (
437 (
438 profile.by_sender().prevalence in ("new", "outlier")
439 and not profile.by_sender().solicited
440 )
441 or (
442 profile.by_sender().any_messages_malicious_or_spam
443 and not profile.by_sender().any_false_positives
444 )
445 )
446 // negate highly trusted sender domains unless they fail DMARC authentication
447 and (
448 (
449 sender.email.domain.root_domain in $high_trust_sender_root_domains
450 and not headers.auth_summary.dmarc.pass
451 )
452 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
453 )
454attack_types:
455 - "Credential Phishing"
456tactics_and_techniques:
457 - "Free email provider"
458 - "Social engineering"
459detection_methods:
460 - "Content analysis"
461 - "Header analysis"
462 - "Natural Language Understanding"
463 - "Sender analysis"
464 - "URL analysis"
465id: "c2bc8ca2-d207-5c7d-96e4-a0d3d33b2af5"