Credential phishing: 'Secure message' and engaging language
Body contains language resembling credential theft, and a "secure message" from an untrusted sender.
Sublime rule (View on GitHub)
1name: "Credential phishing: 'Secure message' and engaging language"
2description: |
3 Body contains language resembling credential theft, and a "secure message" from an untrusted sender.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and any(ml.nlu_classifier(body.current_thread.text).intents,
9 .name == "cred_theft" and .confidence == "high"
10 )
11
12 // ----- other suspicious signals here -----
13 and (
14 strings.icontains(body.html.display_text, "secure message")
15 or strings.icontains(body.html.display_text, "document portal")
16 )
17
18 // todo: automated display name / human local part
19 // todo: suspicious link (unfurl click trackers)
20
21 // ----------
22
23 // has at least 1 link
24 and length(body.links) > 0
25
26 // negate legitimate message senders
27 and (
28 sender.email.domain.root_domain not in ("protectedtrust.com")
29 and any(body.links,
30 .href_url.domain.root_domain != sender.email.domain.root_domain
31 )
32 // Negate known secure mailer(s)
33 and not all(body.links,
34 .href_url.domain.root_domain in ("mimecast.com", "cisco.com")
35 )
36 and any(headers.hops,
37 .index == 0
38 and not any(.fields,
39 strings.contains(.value,
40 'multipart/mixed; boundary="PROOFPOINT_BOUNDARY_1"'
41 )
42 )
43 )
44 and not (
45 length(filter(attachments,
46 strings.ilike(.file_name,
47 "logo.*",
48 "lock.gif",
49 "SecureMessageAtt.html"
50 )
51 )
52 ) == length(attachments)
53 and any(attachments,
54 .file_type == "html"
55 and any(file.explode(.),
56 .scan.html.title == "Proofpoint Encryption"
57 )
58 and strings.count(file.parse_html(.).raw, 'name="msg') > 3
59 )
60 )
61 and not (
62 any(headers.hops, any(.fields, .name == 'X-ZixNet'))
63 and any(headers.domains,
64 .root_domain in ("zixport.com", "zixcorp.com", "zixmail.net")
65 )
66 )
67 // negating Mimecast sends with MS banner and/or sender's email pulled out as a link
68 and not length(filter(body.links,
69 (
70 .display_text is null
71 and .display_url.url == sender.email.domain.root_domain
72 )
73 or .href_url.domain.root_domain in ("aka.ms", "mimecast.com", "cisco.com")
74 )
75 ) == length(body.links)
76 )
77 and (
78 (
79 profile.by_sender().prevalence in ("new", "outlier")
80 and not profile.by_sender().solicited
81 )
82 or (
83 profile.by_sender().any_messages_malicious_or_spam
84 and not profile.by_sender().any_false_positives
85 )
86 )
87 and not profile.by_sender().any_false_positives
88
89 // negate highly trusted sender domains unless they fail DMARC authentication
90 and (
91 (
92 sender.email.domain.root_domain in $high_trust_sender_root_domains
93 and not headers.auth_summary.dmarc.pass
94 )
95 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
96 )
97
98attack_types:
99 - "Credential Phishing"
100tactics_and_techniques:
101 - "Social engineering"
102detection_methods:
103 - "Natural Language Understanding"
104 - "Sender analysis"
105id: "bd95a7b1-dc96-53c1-bb7c-3a0f98b04744"