Credential phishing: 'Secure message' and engaging language

Body contains language resembling credential theft, and a "secure message" from an untrusted sender.

Sublime rule (View on GitHub)

  1name: "Credential phishing: 'Secure message' and engaging language"
  2description: |
  3    Body contains language resembling credential theft, and a "secure message" from an untrusted sender.
  4type: "rule"
  5severity: "medium"
  6source: |
  7  type.inbound
  8  and any(ml.nlu_classifier(body.current_thread.text).intents,
  9          .name == "cred_theft" and .confidence == "high"
 10  )
 11  
 12  // ----- other suspicious signals here -----
 13  and (
 14    strings.icontains(body.html.display_text, "secure message")
 15    or strings.icontains(body.html.display_text, "document portal")
 16  )
 17  
 18  // todo: automated display name / human local part
 19  // todo: suspicious link (unfurl click trackers)
 20  
 21  // ----------
 22  
 23  // has at least 1 link
 24  and length(body.links) > 0
 25  
 26  // negate legitimate message senders
 27  and (
 28    sender.email.domain.root_domain not in ("protectedtrust.com")
 29    and any(body.links,
 30            .href_url.domain.root_domain != sender.email.domain.root_domain
 31    )
 32    // Negate known secure mailer(s)
 33    and not all(body.links,
 34                .href_url.domain.root_domain in ("mimecast.com", "cisco.com")
 35    )
 36    and any(headers.hops,
 37            .index == 0
 38            and not any(.fields,
 39                        strings.contains(.value,
 40                                         'multipart/mixed; boundary="PROOFPOINT_BOUNDARY_1"'
 41                        )
 42            )
 43    )
 44    and not (
 45      length(filter(attachments,
 46                    strings.ilike(.file_name,
 47                                  "logo.*",
 48                                  "lock.gif",
 49                                  "SecureMessageAtt.html"
 50                    )
 51             )
 52      ) == 3
 53      and any(attachments,
 54              .file_type == "html"
 55              and any(file.explode(.),
 56                      .scan.html.title == "Proofpoint Encryption"
 57                      and any(.scan.url.urls, strings.iends_with(.path, 'formpostdir/safeformpost.aspx'))
 58              )
 59              and strings.count(file.parse_html(.).raw, 'name="msg') > 3
 60      )
 61    )
 62    and not (
 63      any(headers.hops, any(.fields, .name == 'X-ZixNet'))
 64      and any(headers.domains,
 65              .root_domain in ("zixport.com", "zixcorp.com", "zixmail.net")
 66      )
 67    )
 68    and not (
 69      any(headers.hops, any(.fields, .name == 'X-SendInc-Message-Id'))
 70      and any(headers.domains,
 71              .root_domain in ("sendinc.net")
 72      )
 73    )
 74    // negating Mimecast sends with MS banner and/or sender's email pulled out as a link
 75    and not length(filter(body.links,
 76                      (
 77                        .display_text is null
 78                        and .display_url.url == sender.email.domain.root_domain
 79                      )
 80                      or .href_url.domain.root_domain in ("aka.ms", "mimecast.com", "cisco.com")
 81               )
 82    ) == length(body.links)
 83  )
 84  and (
 85    (
 86      profile.by_sender().prevalence in ("new", "outlier")
 87      and not profile.by_sender().solicited
 88    )
 89    or (
 90      profile.by_sender().any_messages_malicious_or_spam
 91      and not profile.by_sender().any_false_positives
 92    )
 93  )
 94  and not profile.by_sender().any_false_positives
 95  
 96  // negate highly trusted sender domains unless they fail DMARC authentication
 97  and (
 98    (
 99      sender.email.domain.root_domain in $high_trust_sender_root_domains
100      and not headers.auth_summary.dmarc.pass
101    )
102    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
103  )  
104
105attack_types:
106  - "Credential Phishing"
107tactics_and_techniques:
108  - "Social engineering"
109detection_methods:
110  - "Natural Language Understanding"
111  - "Sender analysis"
112id: "bd95a7b1-dc96-53c1-bb7c-3a0f98b04744"
to-top