Credential phishing language and suspicious indicators (unknown sender)

calendar Feb 24, 2025  ยท
Share on: linkedin copy

Message contains various suspicious indicators as well as engaging language resembling credential theft from an unknown sender.

Sublime rule (View on GitHub)

  1name: "Credential phishing language and suspicious indicators (unknown sender)"
  2description: |
  3    Message contains various suspicious indicators as well as engaging language resembling credential theft from an unknown sender.
  4type: "rule"
  5severity: "medium"
  6source: |
  7  type.inbound
  8  and (
  9    any(ml.nlu_classifier(body.current_thread.text).intents,
 10        .name == "cred_theft" and .confidence in ("medium", "high")
 11    )
 12    // embedded in an image attachment
 13    // note: don't use message_screenshot()
 14    // because it's not limited to current_thread and may FP
 15    or any(attachments,
 16           .file_type in $file_types_images
 17           and any(file.explode(.),
 18                   any(ml.nlu_classifier(.scan.ocr.raw).intents,
 19                       .name == "cred_theft" and .confidence == "high"
 20                   )
 21           )
 22    )
 23  )
 24  and 4 of (
 25    // impersonation of the recipient's domain or email address
 26    // in the subject to make it look more personalized
 27    any(recipients.to,
 28        (
 29          strings.icontains(subject.subject, .email.local_part)
 30          or strings.icontains(subject.subject, .email.domain.sld)
 31        )
 32        and (
 33          .email.domain.valid or strings.icontains(.display_name, "undisclosed")
 34        )
 35    ),
 36    // recipient's email address in the body. this is not very uncommon
 37    // for legit credential themed messages either
 38    any(recipients.to,
 39        (.email.domain.valid or strings.icontains(.display_name, "undisclosed"))
 40        and strings.icontains(body.current_thread.text, .email.email)
 41    ),
 42    ( // page contains turnstile captcha 
 43      any(body.links,
 44          strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
 45                            'https://challenges.cloudflare.com/turnstile/',
 46          )
 47      )
 48    ),
 49    (
 50      // freemail providers should never be sending this type of email
 51      sender.email.domain.domain in $free_email_providers
 52  
 53      // if not freemail, it's suspicious if the sender's root domain
 54      // doesn't match any links in the body
 55      or (
 56        length(body.links) > 0
 57        and all(body.links,
 58                .href_url.domain.root_domain != sender.email.domain.root_domain
 59        )
 60      )
 61    ),
 62    strings.contains(body.current_thread.text,
 63                     "Your mailbox can no longer send or receive messages."
 64    ),
 65    // link redirects to a suspicious TLD
 66    any(body.links,
 67        any(ml.link_analysis(., mode="aggressive").redirect_history,
 68            .domain.tld in $suspicious_tlds
 69        )
 70    ),
 71    (
 72      // suspicious redirects
 73      // 3 or more different domains with 2 or more different TLDs
 74      // careful because click trackers will always make this at least 2
 75      // different domains and not unlikely 2 or more TLDs
 76      any(body.links,
 77          length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
 78                              .domain.tld
 79                          )
 80                 )
 81          ) >= 2
 82          and length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
 83                                  .domain.domain
 84                              )
 85                     )
 86          ) >= 3
 87      )
 88    ),
 89  // maybe: any brand logo with high confidence
 90  // maybe: recipients BCCd or undisclosed
 91  )
 92  and (
 93    (
 94      profile.by_sender().prevalence in ("new", "outlier")
 95      and not profile.by_sender().solicited
 96    )
 97    or (
 98      profile.by_sender().any_messages_malicious_or_spam
 99      and not profile.by_sender().any_false_positives
100    )
101  )
102  
103  // negating Google Calendar invites
104  and (
105    (
106      (
107        length(attachments) > 0
108        and not all(attachments,
109                    .content_type in ("text/calendar", "application/ics")
110        )
111      )
112      and not (
113        any(distinct(headers.hops, .authentication_results.dmarc is null),
114            strings.ilike(.authentication_results.dmarc, "*pass")
115            and strings.ilike(.authentication_results.spf_details.designator,
116                              "*calendar-server.bounces.google.com"
117            )
118        )
119      )
120    )
121    or length(attachments) == 0
122  )
123  
124  // negate highly trusted sender domains unless they fail DMARC authentication
125  and (
126    (
127      sender.email.domain.root_domain in $high_trust_sender_root_domains
128      and not headers.auth_summary.dmarc.pass
129    )
130    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
131  )  
132
133attack_types:
134  - "Credential Phishing"
135tactics_and_techniques:
136  - "Free email provider"
137  - "Social engineering"
138detection_methods:
139  - "Content analysis"
140  - "Header analysis"
141  - "Natural Language Understanding"
142  - "Sender analysis"
143  - "URL analysis"
144id: "89c186f7-8c8d-55db-8b6f-da6ead587b1d"
to-top