Credential phishing language and suspicious indicators (unknown sender)
Message contains various suspicious indicators as well as engaging language resembling credential theft from an unknown sender.
Sublime rule (View on GitHub)
1name: "Credential phishing language and suspicious indicators (unknown sender)"
2description: |
3 Message contains various suspicious indicators as well as engaging language resembling credential theft from an unknown sender.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and (
9 any(ml.nlu_classifier(body.current_thread.text).intents,
10 .name == "cred_theft" and .confidence in ("medium", "high")
11 )
12 // embedded in an image attachment
13 // note: don't use message_screenshot()
14 // because it's not limited to current_thread and may FP
15 or any(attachments,
16 .file_type in $file_types_images
17 and any(file.explode(.),
18 any(ml.nlu_classifier(.scan.ocr.raw).intents,
19 .name == "cred_theft" and .confidence == "high"
20 )
21 )
22 )
23 )
24 and 4 of (
25 // impersonation of the recipient's domain or email address
26 // in the subject to make it look more personalized
27 any(recipients.to,
28 (
29 strings.icontains(subject.subject, .email.local_part)
30 or strings.icontains(subject.subject, .email.domain.sld)
31 )
32 and (.email.domain.valid or strings.icontains(.display_name, "undisclosed"))
33 ),
34 // recipient's email address in the body. this is not very uncommon
35 // for legit credential themed messages either
36 any(recipients.to,
37 (.email.domain.valid or strings.icontains(.display_name, "undisclosed"))
38 and strings.icontains(body.current_thread.text, .email.email)
39 ),
40 (
41 // freemail providers should never be sending this type of email
42 sender.email.domain.domain in $free_email_providers
43
44 // if not freemail, it's suspicious if the sender's root domain
45 // doesn't match any links in the body
46 or (
47 length(body.links) > 0
48 and all(body.links,
49 .href_url.domain.root_domain != sender.email.domain.root_domain
50 )
51 )
52 ),
53 strings.contains(body.current_thread.text,
54 "Your mailbox can no longer send or receive messages."
55 ),
56 // link redirects to a suspicious TLD
57 any(body.links,
58 any(ml.link_analysis(., mode="aggressive").redirect_history, .domain.tld in $suspicious_tlds)
59 ),
60 (
61 // suspicious redirects
62 // 3 or more different domains with 2 or more different TLDs
63 // careful because click trackers will always make this at least 2
64 // different domains and not unlikely 2 or more TLDs
65 any(body.links,
66 length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
67 .domain.tld
68 )
69 )
70 ) >= 2
71 and length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
72 .domain.domain
73 )
74 )
75 ) >= 3
76 )
77 ),
78 // maybe: any brand logo with high confidence
79 // maybe: recipients BCCd or undisclosed
80 )
81 and (
82 (
83 profile.by_sender().prevalence in ("new", "outlier")
84 and not profile.by_sender().solicited
85 )
86 or (
87 profile.by_sender().any_messages_malicious_or_spam
88 and not profile.by_sender().any_false_positives
89 )
90 )
91
92 // negate highly trusted sender domains unless they fail DMARC authentication
93 and (
94 (
95 sender.email.domain.root_domain in $high_trust_sender_root_domains
96 and not headers.auth_summary.dmarc.pass
97 )
98 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
99 )
100attack_types:
101 - "Credential Phishing"
102tactics_and_techniques:
103 - "Free email provider"
104 - "Social engineering"
105detection_methods:
106 - "Content analysis"
107 - "Header analysis"
108 - "Natural Language Understanding"
109 - "Sender analysis"
110 - "URL analysis"
111id: "89c186f7-8c8d-55db-8b6f-da6ead587b1d"