Credential phishing: Engaging language and other indicators (untrusted sender)
Message contains various suspicious indicators as well as engaging language resembling credential theft from an untrusted sender.
Sublime rule (View on GitHub)
1name: "Credential phishing: Engaging language and other indicators (untrusted sender)"
2description: |
3 Message contains various suspicious indicators as well as engaging language resembling credential theft from an untrusted sender.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and (
9 regex.icontains(subject.subject,
10 "termination.*notice",
11 "38417",
12 ":completed",
13 "[il1]{2}mit.*ma[il1]{2} ?bo?x",
14 "[il][il][il]egai[ -]",
15 "[li][li][li]ega[li] attempt",
16 "[ng]-?[io]n .*block",
17 "[ng]-?[io]n .*cancel",
18 "[ng]-?[io]n .*deactiv",
19 "[ng]-?[io]n .*disabl",
20 "action.*required",
21 "abandon.*package",
22 "about.your.account",
23 "acc(ou)?n?t (is )?on ho[li]d",
24 "acc(ou)?n?t.*terminat",
25 "acc(oun)?t.*[il1]{2}mitation",
26 "access.*limitation",
27 "account (will be )?block",
28 "account.*de-?activat",
29 "account.*locked",
30 "account.*re-verification",
31 "account.*security",
32 "account.*suspension",
33 "account.has.been",
34 "account.has.expired",
35 "account.will.be.blocked",
36 "account v[il]o[li]at",
37 "activity.*acc(oun)?t",
38 "almost.full",
39 "app[li]e.[il]d",
40 "authenticate.*account",
41 "been.*suspend",
42 "crediential.*notif",
43 "clos.*of.*account.*processed",
44 "confirm.your.account",
45 "courier.*able",
46 "crediential.*notif",
47 "deactivation.*in.*progress",
48 "delivery.*attempt.*failed",
49 "disconnection.*notice",
50 "document.received",
51 "documented.*shared.*with.*you",
52 "dropbox.*document",
53 "e-?ma[il1]+ .{010}suspen",
54 "e-?ma[il1]{1} user",
55 "e-?ma[il1]{2} acc",
56 "e-?ma[il1]{2}.*up.?grade",
57 "e.?ma[il1]{2}.*server",
58 "e.?ma[il1]{2}.*suspend",
59 "email.update",
60 "faxed you",
61 "fraud(ulent)?.*charge",
62 "from.helpdesk",
63 "fu[il1]{2}.*ma[il1]+[ -]?box",
64 "has.been.*suspended",
65 "has.been.limited",
66 "have.locked",
67 "he[li]p ?desk upgrade",
68 "heipdesk",
69 "i[il]iega[il]",
70 "ii[il]ega[il]",
71 "incoming e?mail",
72 "incoming.*fax",
73 "lock.*security",
74 "ma[il1]{1}[ -]?box.*quo",
75 "ma[il1]{2}[ -]?box.*fu[il1]",
76 "ma[il1]{2}box.*[il1]{2}mit",
77 "ma[il1]{2}box stor",
78 "mail on.?hold",
79 "mail.*box.*migration",
80 "mail.*de-?activat",
81 "mail.update.required",
82 "mails.*pending",
83 "messages.*pending",
84 "missed.*shipping.*notification",
85 "missed.shipment.notification",
86 "must.update.your.account",
87 "new [sl][io]g?[nig][ -]?in from",
88 "new voice ?-?mail",
89 "notifications.*pending",
90 "office.*3.*6.*5.*suspend",
91 "office365",
92 "on google docs with you",
93 "online doc",
94 "password.*compromised",
95 "periodic maintenance",
96 "potential(ly)? unauthorized",
97 "refund not approved",
98 "report",
99 "revised.*policy",
100 "scam",
101 "scanned.?invoice",
102 "secured?.update",
103 "security breach",
104 "securlty",
105 "signed.*delivery",
106 "status of your .{314}? ?delivery",
107 "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
108 "suspicious.*sign.*[io]n",
109 "suspicious.activit",
110 "temporar(il)?y deactivate",
111 "temporar[il1]{2}y disab[li]ed",
112 "temporarily.*lock",
113 "un-?usua[li].activity",
114 "unable.*deliver",
115 "unauthorized.*activit",
116 "unauthorized.device",
117 "undelivered message",
118 "unread.*doc",
119 "unusual.activity",
120 "upgrade.*account",
121 "upgrade.notice",
122 "urgent message",
123 "urgent.verification",
124 "v[il1]o[li1]at[il1]on security",
125 "va[il1]{1}date.*ma[il1]{2}[ -]?box",
126 "verification ?-?require",
127 "verification( )?-?need",
128 "verify.your?.account",
129 "web ?-?ma[il1]{2}",
130 "web[ -]?ma[il1]{2}",
131 "will.be.suspended",
132 "your (customer )?account .as",
133 "your.office.365",
134 "your.online.access",
135 "de.activation",
136 // https://github.com/sublime-security/static-files/blob/master/suspicious_subjects.txt
137 "account has been limited",
138 "action required",
139 "almost full",
140 "apd notifi cation",
141 "are you at your desk",
142 "are you available",
143 "attached file to docusign",
144 "banking is temporarily unavailable",
145 "bankofamerica",
146 "closing statement invoice",
147 "completed: docusign",
148 "de-activation of",
149 "delivery attempt",
150 "delivery stopped for shipment",
151 "detected suspicious",
152 "detected suspicious actvity",
153 "docu sign",
154 "document for you",
155 "document has been sent to you via docusign",
156 "document is ready for signature",
157 "docusign",
158 "encrypted message",
159 "failed delivery",
160 "fedex tracking",
161 "file was shared",
162 "freefax",
163 "fwd: due invoice paid",
164 "has shared",
165 "inbox is full",
166 "invitation to comment",
167 "invitation to edit",
168 "invoice due",
169 "left you a message",
170 "message from",
171 "new message",
172 "new voicemail",
173 "on desk",
174 "out of space",
175 "password reset",
176 "payment status",
177 "pay notification",
178 "quick reply",
179 "re: w-2",
180 "required",
181 "required: completed docusign",
182 "remittance",
183 "ringcentral",
184 "scanned image",
185 "secured files",
186 "secured pdf",
187 "security alert",
188 "new sign-in",
189 "new sign in",
190 "sign-in attempt",
191 "sign in attempt",
192 "staff review",
193 "suspicious activity",
194 "unrecognized login attempt",
195 "unusual signin",
196 "upgrade immediately",
197 "urgent",
198 "wants to share",
199 "w2",
200 "you have notifications pending",
201 "your account",
202 "your amazon order",
203 "your document settlement",
204 "your order with amazon",
205 "your password has been compromised",
206 )
207 or (
208 regex.icontains(sender.display_name,
209 "Admin",
210 "Administrator",
211 "Alert",
212 "Assistant",
213 "Authenticat(or|ion)",
214 "Billing",
215 "Benefits",
216 "Bonus",
217 "CEO",
218 "CFO",
219 "CIO",
220 "CTO",
221 "Chairman",
222 "Claim",
223 "Confirm",
224 "Cpanel Mail",
225 "Critical",
226 "Customer Service",
227 "Deal",
228 "Discount",
229 "Director",
230 "Exclusive",
231 "Executive",
232 "Fax",
233 "Free",
234 "Gift",
235 '\bHR\b',
236 "Helpdesk",
237 "Human Resources",
238 "Immediate",
239 "Important",
240 "Info",
241 "Information",
242 "Invoice",
243 '\bIT\b',
244 '\bLegal\b',
245 "Lottery",
246 "Management",
247 "Manager",
248 "Member Services",
249 "Notification",
250 "Offer",
251 "Operations",
252 "Order",
253 "Partner",
254 "Payment",
255 "Payroll",
256 "Postmaster",
257 "President",
258 "Premium",
259 "Prize",
260 "Receipt",
261 "Refund",
262 "Registrar",
263 "Required",
264 "Reward",
265 "Sales",
266 "Secretary",
267 "Security",
268 "Service",
269 "Storage",
270 "Support",
271 "Sweepstakes",
272 "System",
273 "Tax",
274 "Tech Support",
275 "Update",
276 "Upgrade",
277 "Urgent",
278 "Validate",
279 "Verify",
280 "VIP",
281 "Webmaster",
282 "Winner",
283 )
284 // add negation for common FPs in the sender display_name
285 and not strings.icontains(sender.display_name, "service bulletin")
286 and not strings.icontains(sender.display_name, "automotive service")
287
288 )
289 )
290 and (
291 4 of (
292 any(recipients.to,
293 .email.domain.valid
294 and (
295 strings.icontains(body.current_thread.text, .email.email)
296 or strings.icontains(body.current_thread.text, .email.local_part)
297 )
298 ),
299 any(ml.nlu_classifier(body.current_thread.text).intents,
300 .name == "cred_theft" and .confidence in ("medium", "high")
301 ),
302 any(ml.nlu_classifier(body.current_thread.text).entities,
303 .name == "request"
304 ),
305 (
306 // freemail providers should never be sending this type of email
307 sender.email.domain.domain in $free_email_providers
308
309 // if not freemail, it's suspicious if the sender's root domain
310 // doesn't match any links in the body
311 or all(body.links,
312 .href_url.domain.root_domain != sender.email.domain.root_domain
313 and .href_url.domain.root_domain not in $org_domains
314 )
315 ),
316 // in case it's embedded in an image attachment
317 // note: don't use message_screenshot() because it's not limited to current_thread
318 // and may FP
319 any(attachments,
320 .file_type in $file_types_images
321 and any(file.explode(.),
322 any(ml.nlu_classifier(.scan.ocr.raw).intents,
323 .name == "cred_theft" and .confidence == "high"
324 )
325 )
326 ),
327 strings.contains(body.current_thread.text,
328 "Your mailbox can no longer send or receive messages."
329 ),
330 any(body.links,
331 strings.icontains(.href_url.query_params, 'redirect')
332 or any(.href_url.rewrite.encoders,
333 strings.icontains(., "open_redirect")
334 )
335 ),
336 // multiple entities displaying urgency
337 length(filter(ml.nlu_classifier(body.current_thread.text).entities,
338 .name == "urgency"
339 )
340 ) >= 2
341 // and any body links
342 and any(body.links,
343 // display text contains a request
344 any(ml.nlu_classifier(.display_text).entities, .name == "request")
345 )
346 )
347 or (
348 (
349 // recipient's email address is in the body
350 any(recipients.to,
351 // use count to ensure the email address is not part of a disclaimer
352 strings.icount(body.current_thread.text, .email.email) >
353 // sum allows us to add more logic as needed
354 sum([
355 strings.icount(body.current_thread.text,
356 strings.concat('was sent to ', .email.email)
357 ),
358 strings.icount(body.current_thread.text,
359 strings.concat('intended for ', .email.email)
360 )
361 ]
362 )
363 )
364 // suspicious display text
365 or (
366 length(body.links) == 1
367 and all(body.links, strings.ilike(.display_text, "*click here*", "*password*"))
368 )
369 )
370 // link leads to a suspicious TLD or contains an IP address or contains multiple redirects
371 and any(body.links,
372 (
373 ml.link_analysis(., mode="aggressive").effective_url.domain.tld in $suspicious_tlds
374 or length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history, .domain.root_domain))) >= 4
375 or (
376 any(body.ips,
377 any(body.links, strings.icontains(.href_url.url, ..ip))
378 )
379 )
380 )
381 )
382 )
383 )
384 // exclude Google shared calendar messages
385 // Subject: "<sender name> has shared a calendar with you"
386 and headers.return_path.domain.domain != "calendar-server.bounces.google.com"
387 // negate calendar invites
388 and not (
389 0 < length(attachments) < 3
390 and all(attachments, .content_type in ("text/calendar", "application/ics"))
391 )
392 // bounce-back negations
393 and not (
394 strings.like(sender.email.local_part,
395 "*postmaster*",
396 "*mailer-daemon*",
397 "*administrator*"
398 )
399 and any(attachments,
400 .content_type in (
401 "message/rfc822",
402 "message/delivery-status",
403 "text/calendar"
404 )
405 )
406 )
407 and (
408 (
409 profile.by_sender().prevalence in ("new", "outlier")
410 and not profile.by_sender().solicited
411 )
412 or (
413 profile.by_sender().any_messages_malicious_or_spam
414 and not profile.by_sender().any_false_positives
415 )
416 )
417 // negate highly trusted sender domains unless they fail DMARC authentication
418 and (
419 (
420 sender.email.domain.root_domain in $high_trust_sender_root_domains
421 and not headers.auth_summary.dmarc.pass
422 )
423 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
424 )
425attack_types:
426 - "Credential Phishing"
427tactics_and_techniques:
428 - "Free email provider"
429 - "Social engineering"
430detection_methods:
431 - "Content analysis"
432 - "Header analysis"
433 - "Natural Language Understanding"
434 - "Sender analysis"
435 - "URL analysis"
436id: "c2bc8ca2-d207-5c7d-96e4-a0d3d33b2af5"