Credential phishing: 'Secure message' and engaging language

calendar Jan 12, 2026  ยท
Share on: linkedin copy

Body contains language resembling credential theft, and a "secure message" from an untrusted sender.

Sublime rule (View on GitHub)

  1name: "Credential phishing: 'Secure message' and engaging language"
  2description: |
  3    Body contains language resembling credential theft, and a "secure message" from an untrusted sender.
  4type: "rule"
  5severity: "medium"
  6source: |
  7  type.inbound
  8  and (
  9    any(ml.nlu_classifier(body.current_thread.text).intents,
 10        .name == "cred_theft" and .confidence == "high"
 11    )
 12    or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
 13           .name == "cred_theft" and .confidence in ("medium", "high")
 14    )
 15  )
 16  
 17  // ----- other suspicious signals here -----
 18  and (
 19    (
 20      regex.icontains(body.current_thread.text,
 21                      "secure (message|directory|document)"
 22      )
 23      or strings.icontains(body.current_thread.text, "document portal")
 24      or strings.icontains(body.current_thread.text, "encrypted message")
 25      or strings.icontains(body.current_thread.text, "protected message")
 26    )
 27    or any(body.previous_threads,
 28           regex.icontains(.text, "secure (message|directory|document)")
 29           or strings.icontains(.text, "document portal")
 30           or strings.icontains(.text, "encrypted message")
 31           or strings.icontains(.text, "protected message")
 32    )
 33  )
 34  // todo: automated display name / human local part
 35  // todo: suspicious link (unfurl click trackers)
 36  
 37  // ----------
 38  
 39  // has at least 1 link
 40  and length(body.links) > 0
 41  
 42  // negate legitimate message senders
 43  and (
 44    sender.email.domain.root_domain not in ("protectedtrust.com")
 45    and any(body.links,
 46            .href_url.domain.root_domain != sender.email.domain.root_domain
 47    )
 48    // Negate known secure mailer(s)
 49    and not all(body.links,
 50                .href_url.domain.root_domain in (
 51                  "mimecast.com",
 52                  "cisco.com",
 53                  "csiesafe.com"
 54                )
 55    )
 56    and any(headers.hops,
 57            .index == 0
 58            and not any(.fields,
 59                        strings.contains(.value,
 60                                         'multipart/mixed; boundary="PROOFPOINT_BOUNDARY_1"'
 61                        )
 62            )
 63    )
 64    and not (
 65      length(filter(attachments,
 66                    strings.ilike(.file_name,
 67                                  "logo.*",
 68                                  "lock.gif",
 69                                  "SecureMessageAtt.html"
 70                    )
 71             )
 72      ) == 3
 73      and any(attachments,
 74              .file_type == "html"
 75              and any(file.explode(.),
 76                      .scan.html.title == "Proofpoint Encryption"
 77                      and any(.scan.url.urls,
 78                              strings.iends_with(.path,
 79                                                 'formpostdir/safeformpost.aspx'
 80                              )
 81                      )
 82              )
 83              and strings.count(file.parse_html(.).raw, 'name="msg') > 3
 84      )
 85    )
 86    and not (
 87      any(headers.hops,
 88          any(.fields,
 89              .name in (
 90                'X-ZixNet',
 91                'X-VPM-MIV',
 92                'X-VPM-ActionCode',
 93                'X-VPM-SmtpTo'
 94              )
 95          )
 96      )
 97      and any(headers.domains,
 98              .root_domain in (
 99                "zixport.com",
100                "zixcorp.com",
101                "zixmail.net",
102                "zixworks.com"
103              )
104      )
105    )
106    and not (
107      any(headers.hops, any(.fields, .name == 'X-SendInc-Message-Id'))
108      and any(headers.domains, .root_domain in ("sendinc.net"))
109    )
110    // negating Mimecast sends with MS banner and/or sender's email pulled out as a link
111    and not length(filter(body.links,
112                          (
113                            .display_text is null
114                            and .display_url.url == sender.email.domain.root_domain
115                          )
116                          or .href_url.domain.root_domain in (
117                            "aka.ms",
118                            "mimecast.com",
119                            "cisco.com"
120                          )
121                   )
122    ) == length(body.links)
123  )
124  and (
125    (
126      profile.by_sender().prevalence in ("new", "outlier")
127      and not profile.by_sender().solicited
128    )
129    or (
130      profile.by_sender().any_messages_malicious_or_spam
131      and not profile.by_sender().any_messages_benign
132    )
133    // or the sender is all undisclosed or there is no recipients
134    or (
135      length(recipients.to) == 0
136      or all(recipients.to,
137             strings.ilike(.display_name, "undisclosed?recipients")
138      )
139    )
140    // or the sender exhibits a "self sender" pattern
141    or (
142      length(recipients.to) == 1
143      and any(recipients.to, .email.email == sender.email.email)
144    )
145  )
146  and not profile.by_sender().any_messages_benign
147  
148  // negate highly trusted sender domains unless they fail DMARC authentication
149  and (
150    (
151      sender.email.domain.root_domain in $high_trust_sender_root_domains
152      and not headers.auth_summary.dmarc.pass
153    )
154    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
155  )  
156attack_types:
157  - "Credential Phishing"
158tactics_and_techniques:
159  - "Social engineering"
160detection_methods:
161  - "Natural Language Understanding"
162  - "Sender analysis"
163id: "bd95a7b1-dc96-53c1-bb7c-3a0f98b04744"
to-top