Credential phishing: Engaging language and other indicators (first-time sender)
Message contains various suspicious indicators as well as engaging language resembling credential theft from a first-time sender.
Sublime rule (View on GitHub)
1name: "Credential phishing: Engaging language and other indicators (first-time sender)"
2description: |
3 Message contains various suspicious indicators as well as engaging language resembling credential theft from a first-time sender.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and (
9 regex.icontains(subject.subject,
10 "termination.*notice",
11 "38417",
12 ":completed",
13 "[il1]{2}mit.*ma[il1]{2} ?bo?x",
14 "[il][il][il]egai[ -]",
15 "[li][li][li]ega[li] attempt",
16 "[ng]-?[io]n .*block",
17 "[ng]-?[io]n .*cancel",
18 "[ng]-?[io]n .*deactiv",
19 "[ng]-?[io]n .*disabl",
20 "action.*required",
21 "abandon.*package",
22 "about.your.account",
23 "acc(ou)?n?t (is )?on ho[li]d",
24 "acc(ou)?n?t.*terminat",
25 "acc(oun)?t.*[il1]{2}mitation",
26 "access.*limitation",
27 "account (will be )?block",
28 "account.*de-?activat",
29 "account.*locked",
30 "account.*re-verification",
31 "account.*security",
32 "account.*suspension",
33 "account.has.been",
34 "account.has.expired",
35 "account.will.be.blocked",
36 "account v[il]o[li]at",
37 "activity.*acc(oun)?t",
38 "almost.full",
39 "app[li]e.[il]d",
40 "authenticate.*account",
41 "been.*suspend",
42 "clos.*of.*account.*processed",
43 "confirm.your.account",
44 "courier.*able",
45 "deactivation.*in.*progress",
46 "delivery.*attempt.*failed",
47 "document.received",
48 "documented.*shared.*with.*you",
49 "dropbox.*document",
50 "e-?ma[il1]+ .{010}suspen",
51 "e-?ma[il1]{1} user",
52 "e-?ma[il1]{2} acc",
53 "e-?ma[il1]{2}.*up.?grade",
54 "e.?ma[il1]{2}.*server",
55 "e.?ma[il1]{2}.*suspend",
56 "email.update",
57 "faxed you",
58 "fraud(ulent)?.*charge",
59 "from.helpdesk",
60 "fu[il1]{2}.*ma[il1]+[ -]?box",
61 "has.been.*suspended",
62 "has.been.limited",
63 "have.locked",
64 "he[li]p ?desk upgrade",
65 "heipdesk",
66 "i[il]iega[il]",
67 "ii[il]ega[il]",
68 "incoming e?mail",
69 "incoming.*fax",
70 "lock.*security",
71 "ma[il1]{1}[ -]?box.*quo",
72 "ma[il1]{2}[ -]?box.*fu[il1]",
73 "ma[il1]{2}box.*[il1]{2}mit",
74 "ma[il1]{2}box stor",
75 "mail on.?hold",
76 "mail.*box.*migration",
77 "mail.*de-?activat",
78 "mail.update.required",
79 "mails.*pending",
80 "messages.*pending",
81 "missed.*shipping.*notification",
82 "missed.shipment.notification",
83 "must.update.your.account",
84 "new [sl][io]g?[nig][ -]?in from",
85 "new voice ?-?mail",
86 "notifications.*pending",
87 "office.*3.*6.*5.*suspend",
88 "office365",
89 "on google docs with you",
90 "online doc",
91 "password.*compromised",
92 "periodic maintenance",
93 "potential(ly)? unauthorized",
94 "refund not approved",
95 "report",
96 "revised.*policy",
97 "scam",
98 "scanned.?invoice",
99 "secured?.update",
100 "security breach",
101 "securlty",
102 "signed.*delivery",
103 "status of your .{314}? ?delivery",
104 "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
105 "suspicious.*sign.*[io]n",
106 "suspicious.activit",
107 "temporar(il)?y deactivate",
108 "temporar[il1]{2}y disab[li]ed",
109 "temporarily.*lock",
110 "un-?usua[li].activity",
111 "unable.*deliver",
112 "unauthorized.*activit",
113 "unauthorized.device",
114 "undelivered message",
115 "unread.*doc",
116 "unusual.activity",
117 "upgrade.*account",
118 "upgrade.notice",
119 "urgent message",
120 "urgent.verification",
121 "v[il1]o[li1]at[il1]on security",
122 "va[il1]{1}date.*ma[il1]{2}[ -]?box",
123 "verification ?-?require",
124 "verification( )?-?need",
125 "verify.your?.account",
126 "web ?-?ma[il1]{2}",
127 "web[ -]?ma[il1]{2}",
128 "will.be.suspended",
129 "your (customer )?account .as",
130 "your.office.365",
131 "your.online.access",
132 // https://github.com/sublime-security/static-files/blob/master/suspicious_subjects.txt
133 "account has been limited",
134 "action required",
135 "almost full",
136 "apd notifi cation",
137 "are you at your desk",
138 "are you available",
139 "attached file to docusign",
140 "banking is temporarily unavailable",
141 "bankofamerica",
142 "closing statement invoice",
143 "completed: docusign",
144 "de-activation of",
145 "delivery attempt",
146 "delivery stopped for shipment",
147 "detected suspicious",
148 "detected suspicious actvity",
149 "docu sign",
150 "document for you",
151 "document has been sent to you via docusign",
152 "document is ready for signature",
153 "docusign",
154 "encrypted message",
155 "failed delivery",
156 "fedex tracking",
157 "file was shared",
158 "freefax",
159 "fwd: due invoice paid",
160 "has shared",
161 "inbox is full",
162 "invitation to comment",
163 "invitation to edit",
164 "invoice due",
165 "left you a message",
166 "message from",
167 "new message",
168 "new voicemail",
169 "on desk",
170 "out of space",
171 "password reset",
172 "payment status",
173 "quick reply",
174 "re: w-2",
175 "required",
176 "required: completed docusign",
177 "remittance",
178 "ringcentral",
179 "scanned image",
180 "secured files",
181 "secured pdf",
182 "security alert",
183 "new sign-in",
184 "new sign in",
185 "sign-in attempt",
186 "sign in attempt",
187 "staff review",
188 "suspicious activity",
189 "unrecognized login attempt",
190 "upgrade immediately",
191 "urgent",
192 "wants to share",
193 "w2",
194 "you have notifications pending",
195 "your account",
196 "your amazon order",
197 "your document settlement",
198 "your order with amazon",
199 "your password has been compromised",
200 )
201 or regex.icontains(sender.display_name,
202 "Admin",
203 "Administrator",
204 "Alert",
205 "Assistant",
206 "Billing",
207 "Benefits",
208 "Bonus",
209 "CEO",
210 "CFO",
211 "CIO",
212 "CTO",
213 "Chairman",
214 "Claim",
215 "Confirm",
216 "Critical",
217 "Customer Service",
218 "Deal",
219 "Discount",
220 "Director",
221 "Exclusive",
222 "Executive",
223 "Fax",
224 "Free",
225 "Gift",
226 "HR",
227 "Helpdesk",
228 "Human Resources",
229 "Immediate",
230 "Important",
231 "Info",
232 "Information",
233 "Invoice",
234 '\bIT\b',
235 "Legal",
236 "Lottery",
237 "Management",
238 "Manager",
239 "Member Services",
240 "Notification",
241 "Offer",
242 "Operations",
243 "Order",
244 "Partner",
245 "Payment",
246 "Payroll",
247 "President",
248 "Premium",
249 "Prize",
250 "Receipt",
251 "Refund",
252 "Registrar",
253 "Required",
254 "Reward",
255 "Sales",
256 "Secretary",
257 "Security",
258 "Service",
259 "Support",
260 "Sweepstakes",
261 "System",
262 "Tax",
263 "Team",
264 "Tech Support",
265 "Update",
266 "Upgrade",
267 "Urgent",
268 "Validate",
269 "Verify",
270 "VIP",
271 "Webmaster",
272 "Winner",
273 )
274 )
275 and any(body.links,
276 // is the recipient's email address in the URL?
277 // this method accounts for any encoding we might encounter
278 // in the query_params
279 // this is common in link tracking, both for
280 // benign marketing traffic but also attackers
281 any(recipients.to,
282 .email.domain.valid
283 and strings.icontains(..href_url.url, .email.local_part)
284 and strings.icontains(..href_url.url, .email.domain.domain)
285 )
286 )
287 and any(ml.nlu_classifier(body.current_thread.text).intents,
288 .name == "cred_theft" and .confidence in ("medium", "high")
289 )
290 and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
291 and (
292 // freemail providers should never be sending this type of email
293 sender.email.domain.domain in $free_email_providers
294
295 // if not freemail, it's suspicious if the sender's root domain
296 // doesn't match any links in the body
297 or all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain)
298 )
299
300 // first-time sender
301 and (
302 (
303 sender.email.domain.root_domain in $free_email_providers
304 and sender.email.email not in $sender_emails
305 )
306 or (
307 sender.email.domain.root_domain not in $free_email_providers
308 and sender.email.domain.domain not in $sender_domains
309 )
310 )
311attack_types:
312 - "Credential Phishing"
313tactics_and_techniques:
314 - "Free email provider"
315 - "Social engineering"
316detection_methods:
317 - "Content analysis"
318 - "Header analysis"
319 - "Natural Language Understanding"
320 - "Sender analysis"
321 - "URL analysis"
322id: "c2bc8ca2-d207-5c7d-96e4-a0d3d33b2af5"