Credential phishing: 'Secure message' and engaging language
Body contains language resembling credential theft, and a "secure message" from an untrusted sender.
Sublime rule (View on GitHub)
1name: "Credential phishing: 'Secure message' and engaging language"
2description: |
3 Body contains language resembling credential theft, and a "secure message" from an untrusted sender.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and any(ml.nlu_classifier(body.current_thread.text).intents,
9 .name == "cred_theft" and .confidence == "high"
10 )
11
12 // ----- other suspicious signals here -----
13 and (
14 strings.icontains(body.html.display_text, "secure message")
15 or strings.icontains(body.html.display_text, "document portal")
16 or strings.icontains(body.html.display_text, "encrypted message")
17 )
18
19 // todo: automated display name / human local part
20 // todo: suspicious link (unfurl click trackers)
21
22 // ----------
23
24 // has at least 1 link
25 and length(body.links) > 0
26
27 // negate legitimate message senders
28 and (
29 sender.email.domain.root_domain not in ("protectedtrust.com")
30 and any(body.links,
31 .href_url.domain.root_domain != sender.email.domain.root_domain
32 )
33 // Negate known secure mailer(s)
34 and not all(body.links,
35 .href_url.domain.root_domain in ("mimecast.com", "cisco.com")
36 )
37 and any(headers.hops,
38 .index == 0
39 and not any(.fields,
40 strings.contains(.value,
41 'multipart/mixed; boundary="PROOFPOINT_BOUNDARY_1"'
42 )
43 )
44 )
45 and not (
46 length(filter(attachments,
47 strings.ilike(.file_name,
48 "logo.*",
49 "lock.gif",
50 "SecureMessageAtt.html"
51 )
52 )
53 ) == 3
54 and any(attachments,
55 .file_type == "html"
56 and any(file.explode(.),
57 .scan.html.title == "Proofpoint Encryption"
58 and any(.scan.url.urls, strings.iends_with(.path, 'formpostdir/safeformpost.aspx'))
59 )
60 and strings.count(file.parse_html(.).raw, 'name="msg') > 3
61 )
62 )
63 and not (
64 any(headers.hops, any(.fields, .name == 'X-ZixNet'))
65 and any(headers.domains,
66 .root_domain in ("zixport.com", "zixcorp.com", "zixmail.net")
67 )
68 )
69 and not (
70 any(headers.hops, any(.fields, .name == 'X-SendInc-Message-Id'))
71 and any(headers.domains,
72 .root_domain in ("sendinc.net")
73 )
74 )
75 // negating Mimecast sends with MS banner and/or sender's email pulled out as a link
76 and not length(filter(body.links,
77 (
78 .display_text is null
79 and .display_url.url == sender.email.domain.root_domain
80 )
81 or .href_url.domain.root_domain in ("aka.ms", "mimecast.com", "cisco.com")
82 )
83 ) == length(body.links)
84 )
85 and (
86 (
87 profile.by_sender().prevalence in ("new", "outlier")
88 and not profile.by_sender().solicited
89 )
90 or (
91 profile.by_sender().any_messages_malicious_or_spam
92 and not profile.by_sender().any_false_positives
93 )
94 )
95 and not profile.by_sender().any_false_positives
96
97 // negate highly trusted sender domains unless they fail DMARC authentication
98 and (
99 (
100 sender.email.domain.root_domain in $high_trust_sender_root_domains
101 and not headers.auth_summary.dmarc.pass
102 )
103 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
104 )
105
106attack_types:
107 - "Credential Phishing"
108tactics_and_techniques:
109 - "Social engineering"
110detection_methods:
111 - "Natural Language Understanding"
112 - "Sender analysis"
113id: "bd95a7b1-dc96-53c1-bb7c-3a0f98b04744"