Credential phishing language and suspicious indicators (unknown sender)

calendar Jul 29, 2024  ยท
Share on: linkedin copy

Message contains various suspicious indicators as well as engaging language resembling credential theft from an unknown sender.

Sublime rule (View on GitHub)

  1name: "Credential phishing language and suspicious indicators (unknown sender)"
  2description: |
  3    Message contains various suspicious indicators as well as engaging language resembling credential theft from an unknown sender.
  4type: "rule"
  5severity: "medium"
  6source: |
  7  type.inbound
  8  and (
  9    any(ml.nlu_classifier(body.current_thread.text).intents,
 10        .name == "cred_theft" and .confidence in ("medium", "high")
 11    )
 12    // embedded in an image attachment
 13    // note: don't use message_screenshot()
 14    // because it's not limited to current_thread and may FP
 15    or any(attachments,
 16           .file_type in $file_types_images
 17           and any(file.explode(.),
 18                   any(ml.nlu_classifier(.scan.ocr.raw).intents,
 19                       .name == "cred_theft" and .confidence == "high"
 20                   )
 21           )
 22    )
 23  )
 24  and 4 of (
 25    // impersonation of the recipient's domain or email address
 26    // in the subject to make it look more personalized
 27    any(recipients.to,
 28        (
 29          strings.icontains(subject.subject, .email.local_part)
 30          or strings.icontains(subject.subject, .email.domain.sld)
 31        )
 32        and (.email.domain.valid or strings.icontains(.display_name, "undisclosed"))
 33    ),
 34    // recipient's email address in the body. this is not very uncommon
 35    // for legit credential themed messages either
 36    any(recipients.to,
 37        (.email.domain.valid or strings.icontains(.display_name, "undisclosed"))
 38        and strings.icontains(body.current_thread.text, .email.email)
 39    ),
 40    (
 41      // freemail providers should never be sending this type of email
 42      sender.email.domain.domain in $free_email_providers
 43
 44      // if not freemail, it's suspicious if the sender's root domain
 45      // doesn't match any links in the body
 46      or (
 47        length(body.links) > 0
 48        and all(body.links,
 49                .href_url.domain.root_domain != sender.email.domain.root_domain
 50        )
 51      )
 52    ),
 53    strings.contains(body.current_thread.text,
 54                     "Your mailbox can no longer send or receive messages."
 55    ),
 56      // link redirects to a suspicious TLD
 57      any(body.links,
 58          any(ml.link_analysis(., mode="aggressive").redirect_history, .domain.tld in $suspicious_tlds)
 59    ),
 60    (
 61      // suspicious redirects
 62      // 3 or more different domains with 2 or more different TLDs
 63      // careful because click trackers will always make this at least 2
 64      // different domains and not unlikely 2 or more TLDs
 65      any(body.links,
 66          length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
 67                              .domain.tld
 68                          )
 69                 )
 70          ) >= 2
 71          and length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
 72                                  .domain.domain
 73                              )
 74                     )
 75          ) >= 3
 76      )
 77    ),
 78  // maybe: any brand logo with high confidence
 79  // maybe: recipients BCCd or undisclosed
 80  )
 81  and (
 82    (
 83      profile.by_sender().prevalence in ("new", "outlier")
 84      and not profile.by_sender().solicited
 85    )
 86    or (
 87      profile.by_sender().any_messages_malicious_or_spam
 88      and not profile.by_sender().any_false_positives
 89    )
 90  )
 91
 92  // negating Google Calendar invites
 93  and (
 94    (
 95      (
 96        length(attachments) > 0
 97        and not all(attachments,
 98                    .content_type in ("text/calendar", "application/ics")
 99        )
100      )
101      and not (
102        any(distinct(headers.hops, .authentication_results.dmarc is null),
103            strings.ilike(.authentication_results.dmarc, "*pass")
104            and strings.ilike(.authentication_results.spf_details.designator,
105                              "*calendar-server.bounces.google.com"
106            )
107        )
108      )
109    )
110    or length(attachments) == 0
111  )
112
113  // negate highly trusted sender domains unless they fail DMARC authentication
114  and (
115    (
116      sender.email.domain.root_domain in $high_trust_sender_root_domains
117      and not headers.auth_summary.dmarc.pass
118    )
119    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
120  )  
121attack_types:
122  - "Credential Phishing"
123tactics_and_techniques:
124  - "Free email provider"
125  - "Social engineering"
126detection_methods:
127  - "Content analysis"
128  - "Header analysis"
129  - "Natural Language Understanding"
130  - "Sender analysis"
131  - "URL analysis"
132id: "89c186f7-8c8d-55db-8b6f-da6ead587b1d"
to-top