Credential phishing: 'Secure message' and engaging language

Body contains language resembling credential theft, and a "secure message" from an untrusted sender.

Sublime rule (View on GitHub)

 1name: "Credential phishing: 'Secure message' and engaging language"
 2description: |
 3    Body contains language resembling credential theft, and a "secure message" from an untrusted sender.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and any(ml.nlu_classifier(body.current_thread.text).intents,
 9          .name == "cred_theft" and .confidence == "high"
10  )
11  
12  // ----- other suspicious signals here -----
13  and strings.icontains(body.html.display_text, "secure message")
14  
15  // todo: automated display name / human local part
16  // todo: suspicious link (unfurl click trackers)
17  
18  // ----------
19  
20  // has at least 1 link
21  and length(body.links) > 0
22  
23  // negate legitimate message senders
24  and (
25    sender.email.domain.root_domain not in ("protectedtrust.com")
26    and any(body.links,
27            .href_url.domain.root_domain != sender.email.domain.root_domain
28    )
29    // Negate known secure mailer(s)
30    and not all(body.links,
31                .href_url.domain.root_domain in ("mimecast.com", "cisco.com")
32    )
33    and any(headers.hops,
34            .index == 0
35            and not any(.fields,
36                        strings.contains(.value,
37                                         'multipart/mixed; boundary="PROOFPOINT_BOUNDARY_1"'
38                        )
39            )
40    )
41    and not (
42      any(headers.hops, any(.fields, .name == 'X-ZixNet'))
43      and any(headers.domains,
44              .root_domain in ("zixport.com", "zixcorp.com", "zixmail.net")
45      )
46    )
47    // negating Mimecast sends with MS banner and/or sender's email pulled out as a link
48    and not length(filter(body.links,
49                      (
50                        .display_text is null
51                        and .display_url.url == sender.email.domain.root_domain
52                      )
53                      or .href_url.domain.root_domain in ("aka.ms", "mimecast.com", "cisco.com")
54               )
55    ) == length(body.links)
56  )
57  and (
58    (
59      profile.by_sender().prevalence in ("new", "outlier")
60      and not profile.by_sender().solicited
61    )
62    or (
63      profile.by_sender().any_messages_malicious_or_spam
64      and not profile.by_sender().any_false_positives
65    )
66  )
67  and not profile.by_sender().any_false_positives
68  
69  // negate highly trusted sender domains unless they fail DMARC authentication
70  and (
71    (
72      sender.email.domain.root_domain in $high_trust_sender_root_domains
73      and (
74        any(distinct(headers.hops, .authentication_results.dmarc is not null),
75            strings.ilike(.authentication_results.dmarc, "*fail")
76        )
77      )
78    )
79    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
80  )  
81
82attack_types:
83  - "Credential Phishing"
84tactics_and_techniques:
85  - "Social engineering"
86detection_methods:
87  - "Natural Language Understanding"
88  - "Sender analysis"
89id: "bd95a7b1-dc96-53c1-bb7c-3a0f98b04744"
to-top