Credential phishing: Engaging language and other indicators (untrusted sender)
Message contains various suspicious indicators as well as engaging language resembling credential theft from an untrusted sender.
Sublime rule (View on GitHub)
1name: "Credential phishing: Engaging language and other indicators (untrusted sender)"
2description: |
3 Message contains various suspicious indicators as well as engaging language resembling credential theft from an untrusted sender.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and (
9 regex.icontains(subject.subject,
10 "termination.*notice",
11 "38417",
12 ":completed",
13 "[il1]{2}mit.*ma[il1]{2} ?bo?x",
14 "[il][il][il]egai[ -]",
15 "[li][li][li]ega[li] attempt",
16 "[ng]-?[io]n .*block",
17 "[ng]-?[io]n .*cancel",
18 "[ng]-?[io]n .*deactiv",
19 "[ng]-?[io]n .*disabl",
20 "action.*required",
21 "abandon.*package",
22 "about.your.account",
23 "acc(ou)?n?t (is )?on ho[li]d",
24 "acc(ou)?n?t.*terminat",
25 "acc(oun)?t.*[il1]{2}mitation",
26 "access.*limitation",
27 "account (will be )?block",
28 "account.*de-?activat",
29 "account.*locked",
30 "account.*re-verification",
31 "account.*security",
32 "account.*suspension",
33 "account.has.been",
34 "account.has.expired",
35 "account.will.be.blocked",
36 "account v[il]o[li]at",
37 "activity.*acc(oun)?t",
38 "almost.full",
39 "app[li]e.[il]d",
40 "authenticate.*account",
41 "been.*suspend",
42 "clos.*of.*account.*processed",
43 "confirm.your.account",
44 "courier.*able",
45 "deactivation.*in.*progress",
46 "delivery.*attempt.*failed",
47 "document.received",
48 "documented.*shared.*with.*you",
49 "dropbox.*document",
50 "e-?ma[il1]+ .{010}suspen",
51 "e-?ma[il1]{1} user",
52 "e-?ma[il1]{2} acc",
53 "e-?ma[il1]{2}.*up.?grade",
54 "e.?ma[il1]{2}.*server",
55 "e.?ma[il1]{2}.*suspend",
56 "email.update",
57 "faxed you",
58 "fraud(ulent)?.*charge",
59 "from.helpdesk",
60 "fu[il1]{2}.*ma[il1]+[ -]?box",
61 "has.been.*suspended",
62 "has.been.limited",
63 "have.locked",
64 "he[li]p ?desk upgrade",
65 "heipdesk",
66 "i[il]iega[il]",
67 "ii[il]ega[il]",
68 "incoming e?mail",
69 "incoming.*fax",
70 "lock.*security",
71 "ma[il1]{1}[ -]?box.*quo",
72 "ma[il1]{2}[ -]?box.*fu[il1]",
73 "ma[il1]{2}box.*[il1]{2}mit",
74 "ma[il1]{2}box stor",
75 "mail on.?hold",
76 "mail.*box.*migration",
77 "mail.*de-?activat",
78 "mail.update.required",
79 "mails.*pending",
80 "messages.*pending",
81 "missed.*shipping.*notification",
82 "missed.shipment.notification",
83 "must.update.your.account",
84 "new [sl][io]g?[nig][ -]?in from",
85 "new voice ?-?mail",
86 "notifications.*pending",
87 "office.*3.*6.*5.*suspend",
88 "office365",
89 "on google docs with you",
90 "online doc",
91 "password.*compromised",
92 "periodic maintenance",
93 "potential(ly)? unauthorized",
94 "refund not approved",
95 "report",
96 "revised.*policy",
97 "scam",
98 "scanned.?invoice",
99 "secured?.update",
100 "security breach",
101 "securlty",
102 "signed.*delivery",
103 "status of your .{314}? ?delivery",
104 "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
105 "suspicious.*sign.*[io]n",
106 "suspicious.activit",
107 "temporar(il)?y deactivate",
108 "temporar[il1]{2}y disab[li]ed",
109 "temporarily.*lock",
110 "un-?usua[li].activity",
111 "unable.*deliver",
112 "unauthorized.*activit",
113 "unauthorized.device",
114 "undelivered message",
115 "unread.*doc",
116 "unusual.activity",
117 "upgrade.*account",
118 "upgrade.notice",
119 "urgent message",
120 "urgent.verification",
121 "v[il1]o[li1]at[il1]on security",
122 "va[il1]{1}date.*ma[il1]{2}[ -]?box",
123 "verification ?-?require",
124 "verification( )?-?need",
125 "verify.your?.account",
126 "web ?-?ma[il1]{2}",
127 "web[ -]?ma[il1]{2}",
128 "will.be.suspended",
129 "your (customer )?account .as",
130 "your.office.365",
131 "your.online.access",
132 "de.activation",
133 // https://github.com/sublime-security/static-files/blob/master/suspicious_subjects.txt
134 "account has been limited",
135 "action required",
136 "almost full",
137 "apd notifi cation",
138 "are you at your desk",
139 "are you available",
140 "attached file to docusign",
141 "banking is temporarily unavailable",
142 "bankofamerica",
143 "closing statement invoice",
144 "completed: docusign",
145 "de-activation of",
146 "delivery attempt",
147 "delivery stopped for shipment",
148 "detected suspicious",
149 "detected suspicious actvity",
150 "docu sign",
151 "document for you",
152 "document has been sent to you via docusign",
153 "document is ready for signature",
154 "docusign",
155 "encrypted message",
156 "failed delivery",
157 "fedex tracking",
158 "file was shared",
159 "freefax",
160 "fwd: due invoice paid",
161 "has shared",
162 "inbox is full",
163 "invitation to comment",
164 "invitation to edit",
165 "invoice due",
166 "left you a message",
167 "message from",
168 "new message",
169 "new voicemail",
170 "on desk",
171 "out of space",
172 "password reset",
173 "payment status",
174 "quick reply",
175 "re: w-2",
176 "required",
177 "required: completed docusign",
178 "remittance",
179 "ringcentral",
180 "scanned image",
181 "secured files",
182 "secured pdf",
183 "security alert",
184 "new sign-in",
185 "new sign in",
186 "sign-in attempt",
187 "sign in attempt",
188 "staff review",
189 "suspicious activity",
190 "unrecognized login attempt",
191 "unusual signin",
192 "upgrade immediately",
193 "urgent",
194 "wants to share",
195 "w2",
196 "you have notifications pending",
197 "your account",
198 "your amazon order",
199 "your document settlement",
200 "your order with amazon",
201 "your password has been compromised",
202 )
203 or regex.icontains(sender.display_name,
204 "Admin",
205 "Administrator",
206 "Alert",
207 "Assistant",
208 "Billing",
209 "Benefits",
210 "Bonus",
211 "CEO",
212 "CFO",
213 "CIO",
214 "CTO",
215 "Chairman",
216 "Claim",
217 "Confirm",
218 "Cpanel Mail",
219 "Critical",
220 "Customer Service",
221 "Deal",
222 "Discount",
223 "Director",
224 "Exclusive",
225 "Executive",
226 "Fax",
227 "Free",
228 "Gift",
229 "HR",
230 "Helpdesk",
231 "Human Resources",
232 "Immediate",
233 "Important",
234 "Info",
235 "Information",
236 "Invoice",
237 '\bIT\b',
238 '\bLegal\b',
239 "Lottery",
240 "Management",
241 "Manager",
242 "Member Services",
243 "Notification",
244 "Offer",
245 "Operations",
246 "Order",
247 "Partner",
248 "Payment",
249 "Payroll",
250 "Postmaster",
251 "President",
252 "Premium",
253 "Prize",
254 "Receipt",
255 "Refund",
256 "Registrar",
257 "Required",
258 "Reward",
259 "Sales",
260 "Secretary",
261 "Security",
262 "Service",
263 "Storage",
264 "Support",
265 "Sweepstakes",
266 "System",
267 "Tax",
268 "Tech Support",
269 "Update",
270 "Upgrade",
271 "Urgent",
272 "Validate",
273 "Verify",
274 "VIP",
275 "Webmaster",
276 "Winner",
277 )
278 )
279 and (
280 4 of (
281 any(recipients.to,
282 .email.domain.valid
283 and strings.icontains(body.current_thread.text, .email.email)
284 ),
285 any(ml.nlu_classifier(body.current_thread.text).intents,
286 .name == "cred_theft" and .confidence in ("medium", "high")
287 ),
288 any(ml.nlu_classifier(body.current_thread.text).entities,
289 .name == "request"
290 ),
291 (
292 // freemail providers should never be sending this type of email
293 sender.email.domain.domain in $free_email_providers
294
295 // if not freemail, it's suspicious if the sender's root domain
296 // doesn't match any links in the body
297 or all(body.links,
298 .href_url.domain.root_domain != sender.email.domain.root_domain
299 and .href_url.domain.root_domain not in $org_domains
300 )
301 ),
302 // in case it's embedded in an image attachment
303 // note: don't use message_screenshot() because it's not limited to current_thread
304 // and may FP
305 any(attachments,
306 .file_type in $file_types_images
307 and any(file.explode(.),
308 any(ml.nlu_classifier(.scan.ocr.raw).intents,
309 .name == "cred_theft" and .confidence == "high"
310 )
311 )
312 ),
313 strings.contains(body.current_thread.text,
314 "Your mailbox can no longer send or receive messages."
315 )
316 )
317 or (
318 // recipient's email address is in the body
319 any(recipients.to,
320 strings.icontains(body.current_thread.text, .email.email)
321 )
322 // link leads to a suspicious TLD or contains an IP address
323 and any(body.links,
324 (
325 beta.linkanalysis(., mode="aggressive").effective_url.domain.tld in $suspicious_tlds
326 or (
327 any(body.ips,
328 any(body.links, strings.icontains(.href_url.url, ..ip))
329 )
330 )
331 )
332 )
333 )
334 )
335 // exclude Google shared calendar messages
336 // Subject: "<sender name> has shared a calendar with you"
337 and headers.return_path.domain.domain != "calendar-server.bounces.google.com"
338 // bounce-back negations
339 and not (
340 strings.like(sender.email.local_part,
341 "*postmaster*",
342 "*mailer-daemon*",
343 "*administrator*"
344 )
345 and any(attachments,
346 .content_type in (
347 "message/rfc822",
348 "message/delivery-status",
349 "text/calendar"
350 )
351 )
352 )
353 and (
354 (
355 profile.by_sender().prevalence in ("new", "outlier")
356 and not profile.by_sender().solicited
357 )
358 or (
359 profile.by_sender().any_messages_malicious_or_spam
360 and not profile.by_sender().any_false_positives
361 )
362 )
363 // negate highly trusted sender domains unless they fail DMARC authentication
364 and (
365 (
366 sender.email.domain.root_domain in $high_trust_sender_root_domains
367 and (
368 any(distinct(headers.hops, .authentication_results.dmarc is not null),
369 strings.ilike(.authentication_results.dmarc, "*fail")
370 )
371 )
372 )
373 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
374 )
375attack_types:
376 - "Credential Phishing"
377tactics_and_techniques:
378 - "Free email provider"
379 - "Social engineering"
380detection_methods:
381 - "Content analysis"
382 - "Header analysis"
383 - "Natural Language Understanding"
384 - "Sender analysis"
385 - "URL analysis"
386id: "c2bc8ca2-d207-5c7d-96e4-a0d3d33b2af5"