Credential phishing: 'Secure message' and engaging language
Body contains language resembling credential theft, and a "secure message" from an untrusted sender.
Sublime rule (View on GitHub)
1name: "Credential phishing: 'Secure message' and engaging language"
2description: |
3 Body contains language resembling credential theft, and a "secure message" from an untrusted sender.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and any(ml.nlu_classifier(body.current_thread.text).intents,
9 .name == "cred_theft" and .confidence == "high"
10 )
11
12 // ----- other suspicious signals here -----
13 and strings.icontains(body.html.display_text, "secure message")
14
15 // todo: automated display name / human local part
16 // todo: suspicious link (unfurl click trackers)
17
18 // ----------
19
20 // has at least 1 link
21 and length(body.links) > 0
22
23 // negate legitimate message senders
24 and (
25 sender.email.domain.root_domain not in ("protectedtrust.com")
26 and any(body.links,
27 .href_url.domain.root_domain != sender.email.domain.root_domain
28 )
29 // Negate known secure mailer(s)
30 and not all(body.links,
31 .href_url.domain.root_domain in ("mimecast.com", "cisco.com")
32 )
33 and any(headers.hops,
34 .index == 0
35 and not any(.fields,
36 strings.contains(.value,
37 'multipart/mixed; boundary="PROOFPOINT_BOUNDARY_1"'
38 )
39 )
40 )
41 and not (
42 any(headers.hops, any(.fields, .name == 'X-ZixNet'))
43 and any(headers.domains,
44 .root_domain in ("zixport.com", "zixcorp.com", "zixmail.net")
45 )
46 )
47 // negating Mimecast sends with MS banner and/or sender's email pulled out as a link
48 and not length(filter(body.links,
49 (
50 .display_text is null
51 and .display_url.url == sender.email.domain.root_domain
52 )
53 or .href_url.domain.root_domain in ("aka.ms", "mimecast.com", "cisco.com")
54 )
55 ) == length(body.links)
56 )
57 and (
58 (
59 profile.by_sender().prevalence in ("new", "outlier")
60 and not profile.by_sender().solicited
61 )
62 or (
63 profile.by_sender().any_messages_malicious_or_spam
64 and not profile.by_sender().any_false_positives
65 )
66 )
67 and not profile.by_sender().any_false_positives
68
69 // negate highly trusted sender domains unless they fail DMARC authentication
70 and (
71 (
72 sender.email.domain.root_domain in $high_trust_sender_root_domains
73 and not headers.auth_summary.dmarc.pass
74 )
75 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
76 )
77
78attack_types:
79 - "Credential Phishing"
80tactics_and_techniques:
81 - "Social engineering"
82detection_methods:
83 - "Natural Language Understanding"
84 - "Sender analysis"
85id: "bd95a7b1-dc96-53c1-bb7c-3a0f98b04744"