Credential phishing language and suspicious indicators (unknown sender)

Message contains various suspicious indicators as well as engaging language resembling credential theft from an unknown sender.

Sublime rule (View on GitHub)

  1name: "Credential phishing language and suspicious indicators (unknown sender)"
  2description: |
  3    Message contains various suspicious indicators as well as engaging language resembling credential theft from an unknown sender.
  4type: "rule"
  5severity: "medium"
  6source: |
  7  type.inbound
  8  and (
  9    any(ml.nlu_classifier(body.current_thread.text).intents,
 10        .name == "cred_theft" and .confidence in ("medium", "high")
 11    )
 12    // embedded in an image attachment
 13    // note: don't use message_screenshot()
 14    // because it's not limited to current_thread and may FP
 15    or any(attachments,
 16           .file_type in $file_types_images
 17           and any(file.explode(.),
 18                   any(ml.nlu_classifier(.scan.ocr.raw).intents,
 19                       .name == "cred_theft" and .confidence == "high"
 20                   )
 21           )
 22    )
 23  )
 24  and 4 of (
 25    // impersonation of the recipient's domain or email address
 26    // in the subject to make it look more personalized
 27    any(recipients.to,
 28        (
 29          strings.icontains(subject.subject, .email.local_part)
 30          or strings.icontains(subject.subject, .email.domain.sld)
 31        )
 32        and (.email.domain.valid or strings.icontains(.display_name, "undisclosed"))
 33    ),
 34    // recipient's email address in the body. this is not very uncommon
 35    // for legit credential themed messages either
 36    any(recipients.to,
 37        (.email.domain.valid or strings.icontains(.display_name, "undisclosed"))
 38        and strings.icontains(body.current_thread.text, .email.email)
 39    ),
 40    (
 41      // freemail providers should never be sending this type of email
 42      sender.email.domain.domain in $free_email_providers
 43
 44      // if not freemail, it's suspicious if the sender's root domain
 45      // doesn't match any links in the body
 46      or (
 47        length(body.links) > 0
 48        and all(body.links,
 49                .href_url.domain.root_domain != sender.email.domain.root_domain
 50        )
 51      )
 52    ),
 53    strings.contains(body.current_thread.text,
 54                     "Your mailbox can no longer send or receive messages."
 55    ),
 56      // link redirects to a suspicious TLD
 57      any(body.links,
 58          any(beta.linkanalysis(., mode="aggressive").redirect_history, .domain.tld in $suspicious_tlds)
 59    ),
 60    (
 61      // suspicious redirects
 62      // 3 or more different domains with 2 or more different TLDs
 63      // careful because click trackers will always make this at least 2
 64      // different domains and not unlikely 2 or more TLDs
 65      any(body.links,
 66          length(distinct(map(beta.linkanalysis(., mode="aggressive").redirect_history,
 67                              .domain.tld
 68                          )
 69                 )
 70          ) >= 2
 71          and length(distinct(map(beta.linkanalysis(., mode="aggressive").redirect_history,
 72                                  .domain.domain
 73                              )
 74                     )
 75          ) >= 3
 76      )
 77    ),
 78  // maybe: any brand logo with high confidence
 79  // maybe: recipients BCCd or undisclosed
 80  )
 81  and (
 82    (
 83      profile.by_sender().prevalence in ("new", "outlier")
 84      and not profile.by_sender().solicited
 85    )
 86    or (
 87      profile.by_sender().any_messages_malicious_or_spam
 88      and not profile.by_sender().any_false_positives
 89    )
 90  )
 91
 92  // negate highly trusted sender domains unless they fail DMARC authentication
 93  and (
 94    (
 95      sender.email.domain.root_domain in $high_trust_sender_root_domains
 96      and (
 97        any(distinct(headers.hops, .authentication_results.dmarc is not null),
 98            strings.ilike(.authentication_results.dmarc, "*fail")
 99        )
100      )
101    )
102    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
103  )  
104attack_types:
105  - "Credential Phishing"
106tactics_and_techniques:
107  - "Free email provider"
108  - "Social engineering"
109detection_methods:
110  - "Content analysis"
111  - "Header analysis"
112  - "Natural Language Understanding"
113  - "Sender analysis"
114  - "URL analysis"
115id: "89c186f7-8c8d-55db-8b6f-da6ead587b1d"
to-top