Credential phishing: Engaging language and other indicators (untrusted sender)

Message contains various suspicious indicators as well as engaging language resembling credential theft from an untrusted sender.

Sublime rule (View on GitHub)

  1name: "Credential phishing: Engaging language and other indicators (untrusted sender)"
  2description: |
  3    Message contains various suspicious indicators as well as engaging language resembling credential theft from an untrusted sender.
  4type: "rule"
  5severity: "medium"
  6source: |
  7  type.inbound
  8  and (
  9    regex.icontains(subject.subject,
 10                    "termination.*notice",
 11                    "38417",
 12                    ":completed",
 13                    "[il1]{2}mit.*ma[il1]{2} ?bo?x",
 14                    "[il][il][il]egai[ -]",
 15                    "[li][li][li]ega[li] attempt",
 16                    "[ng]-?[io]n .*block",
 17                    "[ng]-?[io]n .*cancel",
 18                    "[ng]-?[io]n .*deactiv",
 19                    "[ng]-?[io]n .*disabl",
 20                    "action.*required",
 21                    "abandon.*package",
 22                    "about.your.account",
 23                    "acc(ou)?n?t (is )?on ho[li]d",
 24                    "acc(ou)?n?t.*terminat",
 25                    "acc(oun)?t.*[il1]{2}mitation",
 26                    "access.*limitation",
 27                    "account (will be )?block",
 28                    "account.*de-?activat",
 29                    "account.*locked",
 30                    "account.*re-verification",
 31                    "account.*security",
 32                    "account.*suspension",
 33                    "account.has.been",
 34                    "account.has.expired",
 35                    "account.will.be.blocked",
 36                    "account v[il]o[li]at",
 37                    "activity.*acc(oun)?t",
 38                    "almost.full",
 39                    "app[li]e.[il]d",
 40                    "authenticate.*account",
 41                    "been.*suspend",
 42                    "crediential.*notif",
 43                    "clos.*of.*account.*processed",
 44                    "confirm.your.account",
 45                    "courier.*able",
 46                    "crediential.*notif",
 47                    "deactivation.*in.*progress",
 48                    "delivery.*attempt.*failed",
 49                    "document.received",
 50                    "documented.*shared.*with.*you",
 51                    "dropbox.*document",
 52                    "e-?ma[il1]+ .{010}suspen",
 53                    "e-?ma[il1]{1} user",
 54                    "e-?ma[il1]{2} acc",
 55                    "e-?ma[il1]{2}.*up.?grade",
 56                    "e.?ma[il1]{2}.*server",
 57                    "e.?ma[il1]{2}.*suspend",
 58                    "email.update",
 59                    "faxed you",
 60                    "fraud(ulent)?.*charge",
 61                    "from.helpdesk",
 62                    "fu[il1]{2}.*ma[il1]+[ -]?box",
 63                    "has.been.*suspended",
 64                    "has.been.limited",
 65                    "have.locked",
 66                    "he[li]p ?desk upgrade",
 67                    "heipdesk",
 68                    "i[il]iega[il]",
 69                    "ii[il]ega[il]",
 70                    "incoming e?mail",
 71                    "incoming.*fax",
 72                    "lock.*security",
 73                    "ma[il1]{1}[ -]?box.*quo",
 74                    "ma[il1]{2}[ -]?box.*fu[il1]",
 75                    "ma[il1]{2}box.*[il1]{2}mit",
 76                    "ma[il1]{2}box stor",
 77                    "mail on.?hold",
 78                    "mail.*box.*migration",
 79                    "mail.*de-?activat",
 80                    "mail.update.required",
 81                    "mails.*pending",
 82                    "messages.*pending",
 83                    "missed.*shipping.*notification",
 84                    "missed.shipment.notification",
 85                    "must.update.your.account",
 86                    "new [sl][io]g?[nig][ -]?in from",
 87                    "new voice ?-?mail",
 88                    "notifications.*pending",
 89                    "office.*3.*6.*5.*suspend",
 90                    "office365",
 91                    "on google docs with you",
 92                    "online doc",
 93                    "password.*compromised",
 94                    "periodic maintenance",
 95                    "potential(ly)? unauthorized",
 96                    "refund not approved",
 97                    "report",
 98                    "revised.*policy",
 99                    "scam",
100                    "scanned.?invoice",
101                    "secured?.update",
102                    "security breach",
103                    "securlty",
104                    "signed.*delivery",
105                    "status of your .{314}? ?delivery",
106                    "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
107                    "suspicious.*sign.*[io]n",
108                    "suspicious.activit",
109                    "temporar(il)?y deactivate",
110                    "temporar[il1]{2}y disab[li]ed",
111                    "temporarily.*lock",
112                    "un-?usua[li].activity",
113                    "unable.*deliver",
114                    "unauthorized.*activit",
115                    "unauthorized.device",
116                    "undelivered message",
117                    "unread.*doc",
118                    "unusual.activity",
119                    "upgrade.*account",
120                    "upgrade.notice",
121                    "urgent message",
122                    "urgent.verification",
123                    "v[il1]o[li1]at[il1]on security",
124                    "va[il1]{1}date.*ma[il1]{2}[ -]?box",
125                    "verification ?-?require",
126                    "verification( )?-?need",
127                    "verify.your?.account",
128                    "web ?-?ma[il1]{2}",
129                    "web[ -]?ma[il1]{2}",
130                    "will.be.suspended",
131                    "your (customer )?account .as",
132                    "your.office.365",
133                    "your.online.access",
134                    "de.activation",
135                    // https://github.com/sublime-security/static-files/blob/master/suspicious_subjects.txt
136                    "account has been limited",
137                    "action required",
138                    "almost full",
139                    "apd notifi cation",
140                    "are you at your desk",
141                    "are you available",
142                    "attached file to docusign",
143                    "banking is temporarily unavailable",
144                    "bankofamerica",
145                    "closing statement invoice",
146                    "completed: docusign",
147                    "de-activation of",
148                    "delivery attempt",
149                    "delivery stopped for shipment",
150                    "detected suspicious",
151                    "detected suspicious actvity",
152                    "docu sign",
153                    "document for you",
154                    "document has been sent to you via docusign",
155                    "document is ready for signature",
156                    "docusign",
157                    "encrypted message",
158                    "failed delivery",
159                    "fedex tracking",
160                    "file was shared",
161                    "freefax",
162                    "fwd: due invoice paid",
163                    "has shared",
164                    "inbox is full",
165                    "invitation to comment",
166                    "invitation to edit",
167                    "invoice due",
168                    "left you a message",
169                    "message from",
170                    "new message",
171                    "new voicemail",
172                    "on desk",
173                    "out of space",
174                    "password reset",
175                    "payment status",
176                    "pay notification",
177                    "quick reply",
178                    "re: w-2",
179                    "required",
180                    "required: completed docusign",
181                    "remittance",
182                    "ringcentral",
183                    "scanned image",
184                    "secured files",
185                    "secured pdf",
186                    "security alert",
187                    "new sign-in",
188                    "new sign in",
189                    "sign-in attempt",
190                    "sign in attempt",
191                    "staff review",
192                    "suspicious activity",
193                    "unrecognized login attempt",
194                    "unusual signin",
195                    "upgrade immediately",
196                    "urgent",
197                    "wants to share",
198                    "w2",
199                    "you have notifications pending",
200                    "your account",
201                    "your amazon order",
202                    "your document settlement",
203                    "your order with amazon",
204                    "your password has been compromised",
205    )
206    or (
207      regex.icontains(sender.display_name,
208                       "Admin",
209                       "Administrator",
210                       "Alert",
211                       "Assistant",
212                       "Authenticat(or|ion)",
213                       "Billing",
214                       "Benefits",
215                       "Bonus",
216                       "CEO",
217                       "CFO",
218                       "CIO",
219                       "CTO",
220                       "Chairman",
221                       "Claim",
222                       "Confirm",
223                       "Cpanel Mail",
224                       "Critical",
225                       "Customer Service",
226                       "Deal",
227                       "Discount",
228                       "Director",
229                       "Exclusive",
230                       "Executive",
231                       "Fax",
232                       "Free",
233                       "Gift",
234                       "HR",
235                       "Helpdesk",
236                       "Human Resources",
237                       "Immediate",
238                       "Important",
239                       "Info",
240                       "Information",
241                       "Invoice",
242                       '\bIT\b',
243                       '\bLegal\b',
244                       "Lottery",
245                       "Management",
246                       "Manager",
247                       "Member Services",
248                       "Notification",
249                       "Offer",
250                       "Operations",
251                       "Order",
252                       "Partner",
253                       "Payment",
254                       "Payroll",
255                       "Postmaster",
256                       "President",
257                       "Premium",
258                       "Prize",
259                       "Receipt",
260                       "Refund",
261                       "Registrar",
262                       "Required",
263                       "Reward",
264                       "Sales",
265                       "Secretary",
266                       "Security",
267                       "Service",
268                       "Storage",
269                       "Support",
270                       "Sweepstakes",
271                       "System",
272                       "Tax",
273                       "Tech Support",
274                       "Update",
275                       "Upgrade",
276                       "Urgent",
277                       "Validate",
278                       "Verify",
279                       "VIP",
280                       "Webmaster",
281                       "Winner",
282      ) 
283      // add negation for common FPs in the sender display_name
284      and not strings.icontains(sender.display_name, "service bulletin")
285      and not strings.icontains(sender.display_name, "automotive service")
286
287    )
288  )
289  and (
290    4 of (
291      any(recipients.to,
292          .email.domain.valid
293          and (
294            strings.icontains(body.current_thread.text, .email.email)
295            or strings.icontains(body.current_thread.text, .email.local_part)
296          )
297      ),
298      any(ml.nlu_classifier(body.current_thread.text).intents,
299          .name == "cred_theft" and .confidence in ("medium", "high")
300      ),
301      any(ml.nlu_classifier(body.current_thread.text).entities,
302          .name == "request"
303      ),
304      (
305        // freemail providers should never be sending this type of email
306        sender.email.domain.domain in $free_email_providers
307  
308        // if not freemail, it's suspicious if the sender's root domain
309        // doesn't match any links in the body
310        or all(body.links,
311               .href_url.domain.root_domain != sender.email.domain.root_domain
312               and .href_url.domain.root_domain not in $org_domains
313        )
314      ),
315      // in case it's embedded in an image attachment
316      // note: don't use message_screenshot() because it's not limited to current_thread
317      // and may FP
318      any(attachments,
319          .file_type in $file_types_images
320          and any(file.explode(.),
321                  any(ml.nlu_classifier(.scan.ocr.raw).intents,
322                      .name == "cred_theft" and .confidence == "high"
323                  )
324          )
325      ),
326      strings.contains(body.current_thread.text,
327                       "Your mailbox can no longer send or receive messages."
328      ),
329      any(body.links,
330          strings.icontains(.href_url.query_params, 'redirect')
331          or any(.href_url.rewrite.encoders,
332                 strings.icontains(., "open_redirect")
333          )
334      ),
335      // multiple entities displaying urgency 
336      length(filter(ml.nlu_classifier(body.current_thread.text).entities,
337                    .name == "urgency"
338             )
339      ) >= 2
340      // and any body links
341      and any(body.links,
342              // display text contains a request
343              any(ml.nlu_classifier(.display_text).entities, .name == "request")
344      )
345    )
346    or (
347      (
348        // recipient's email address is in the body
349        any(recipients.to,
350            strings.icontains(body.current_thread.text, .email.email)
351        )
352        // suspicious display text
353        or (
354          length(body.links) == 1
355          and all(body.links, strings.ilike(.display_text, "*click here*", "*password*"))
356        )
357      )
358      // link leads to a suspicious TLD or contains an IP address or contains multiple redirects
359      and any(body.links,
360              (
361                ml.link_analysis(., mode="aggressive").effective_url.domain.tld in $suspicious_tlds
362                or length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history, .domain.root_domain))) >= 4
363                or (
364                  any(body.ips,
365                      any(body.links, strings.icontains(.href_url.url, ..ip))
366                  )
367                )
368              )
369      )
370    )
371  )
372  // exclude Google shared calendar messages
373  // Subject: "<sender name> has shared a calendar with you"
374  and headers.return_path.domain.domain != "calendar-server.bounces.google.com"
375  // negate calendar invites
376  and not (
377    0 < length(attachments) < 3
378    and all(attachments, .content_type in ("text/calendar", "application/ics"))
379  )
380  // bounce-back negations
381  and not (
382    strings.like(sender.email.local_part,
383                 "*postmaster*",
384                 "*mailer-daemon*",
385                 "*administrator*"
386    )
387    and any(attachments,
388            .content_type in (
389              "message/rfc822",
390              "message/delivery-status",
391              "text/calendar"
392            )
393    )
394  )
395  and (
396    (
397      profile.by_sender().prevalence in ("new", "outlier")
398      and not profile.by_sender().solicited
399    )
400    or (
401      profile.by_sender().any_messages_malicious_or_spam
402      and not profile.by_sender().any_false_positives
403    )
404  )
405  // negate highly trusted sender domains unless they fail DMARC authentication
406  and (
407    (
408      sender.email.domain.root_domain in $high_trust_sender_root_domains
409      and not headers.auth_summary.dmarc.pass
410    )
411    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
412  )  
413attack_types:
414  - "Credential Phishing"
415tactics_and_techniques:
416  - "Free email provider"
417  - "Social engineering"
418detection_methods:
419  - "Content analysis"
420  - "Header analysis"
421  - "Natural Language Understanding"
422  - "Sender analysis"
423  - "URL analysis"
424id: "c2bc8ca2-d207-5c7d-96e4-a0d3d33b2af5"
to-top