Credential phishing: 'Secure message' and engaging language
Body contains language resembling credential theft, and a "secure message" from an untrusted sender.
Sublime rule (View on GitHub)
1name: "Credential phishing: 'Secure message' and engaging language"
2description: |
3 Body contains language resembling credential theft, and a "secure message" from an untrusted sender.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and (
9 (
10 any(ml.nlu_classifier(body.current_thread.text).intents,
11 .name == "cred_theft" and .confidence == "high"
12 )
13 // add fallback when NLU doesn't pick up cred theft to check for suspicious links
14 or any(body.current_thread.links,
15 regex.icontains(.display_text, '(?:read|view|open) the message')
16 and (
17 .href_url.domain.root_domain not in $tranco_1m
18 or .href_url.domain.domain in $free_file_hosts
19 or .href_url.domain.root_domain in $free_file_hosts
20 or .href_url.domain.root_domain in $free_subdomain_hosts
21 or .href_url.domain.domain in $url_shorteners
22 or .href_url.domain.domain in $social_landing_hosts
23 )
24 )
25 )
26 or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
27 .name == "cred_theft" and .confidence in ("medium", "high")
28 )
29 )
30
31 // ----- other suspicious signals here -----
32 and (
33 (
34 regex.icontains(body.current_thread.text,
35 "secured? (message|directory|document)"
36 )
37 or strings.icontains(body.current_thread.text, "document portal")
38 or strings.icontains(body.current_thread.text, "encrypted message")
39 or strings.icontains(body.current_thread.text, "protected message")
40 )
41 or any(body.previous_threads,
42 regex.icontains(.text, "secured? (message|directory|document)")
43 or strings.icontains(.text, "document portal")
44 or strings.icontains(.text, "encrypted message")
45 or strings.icontains(.text, "protected message")
46 )
47 or any(body.current_thread.links,
48 regex.icontains(ml.link_analysis(.).final_dom.display_text,
49 'secured? (?:message|directory|document) access'
50 )
51 or regex.icontains(ml.link_analysis(.).final_dom.inner_text,
52 'secured? (?:message|directory|document) access'
53 )
54 )
55 or (
56 length(filter(ml.nlu_classifier(body.current_thread.text).entities,
57 .name == "urgency"
58 )
59 ) >= 2
60 and any(ml.nlu_classifier(body.current_thread.text).topics,
61 .name == "Secure Message" and .confidence != "low"
62 )
63 )
64 )
65 // todo: automated display name / human local part
66 // todo: suspicious link (unfurl click trackers)
67
68 // ----------
69
70 // has at least 1 link
71 and length(body.links) > 0
72
73 // negate legitimate message senders
74 and (
75 sender.email.domain.root_domain not in ("protectedtrust.com")
76 and any(body.links,
77 .href_url.domain.root_domain != sender.email.domain.root_domain
78 )
79 // negate known secure mailers
80 and not all(body.links,
81 .href_url.domain.root_domain in (
82 "mimecast.com",
83 "cisco.com",
84 "csiesafe.com"
85 )
86 )
87 and any(headers.hops,
88 .index == 0
89 and not any(.fields,
90 strings.contains(.value,
91 'multipart/mixed; boundary="PROOFPOINT_BOUNDARY_1"'
92 )
93 )
94 )
95 and not (
96 length(filter(attachments,
97 strings.ilike(.file_name,
98 "logo.*",
99 "lock.gif",
100 "SecureMessageAtt.html"
101 )
102 )
103 ) == 3
104 and any(attachments,
105 .file_type == "html"
106 and any(file.explode(.),
107 .scan.html.title == "Proofpoint Encryption"
108 and any(.scan.url.urls,
109 strings.iends_with(.path,
110 'formpostdir/safeformpost.aspx'
111 )
112 )
113 )
114 and strings.count(file.parse_html(.).raw, 'name="msg') > 3
115 )
116 )
117 and not (
118 any(headers.hops,
119 any(.fields,
120 .name in (
121 'X-ZixNet',
122 'X-VPM-MIV',
123 'X-VPM-ActionCode',
124 'X-VPM-SmtpTo'
125 )
126 )
127 )
128 and any(headers.domains,
129 .root_domain in (
130 "zixport.com",
131 "zixcorp.com",
132 "zixmail.net",
133 "zixworks.com"
134 )
135 )
136 )
137 and not (
138 any(headers.hops, any(.fields, .name == 'X-SendInc-Message-Id'))
139 and any(headers.domains, .root_domain in ("sendinc.net"))
140 )
141 // negating Mimecast sends with MS banner and/or sender's email pulled out as a link
142 and not length(filter(body.links,
143 (
144 .display_text is null
145 and .display_url.url == sender.email.domain.root_domain
146 )
147 or .href_url.domain.root_domain in (
148 "aka.ms",
149 "mimecast.com",
150 "cisco.com"
151 )
152 )
153 ) == length(body.links)
154 )
155 and (
156 (
157 profile.by_sender().prevalence in ("new", "outlier")
158 and not profile.by_sender().solicited
159 )
160 or (
161 profile.by_sender().any_messages_malicious_or_spam
162 and not profile.by_sender().any_messages_benign
163 )
164 // or the sender is all undisclosed or there are no recipients
165 or (
166 length(recipients.to) == 0
167 or all(recipients.to,
168 strings.ilike(.display_name, "undisclosed?recipients")
169 )
170 )
171 // or the sender exhibits a "self sender" pattern
172 or (
173 length(recipients.to) == 1
174 and any(recipients.to, .email.email == sender.email.email)
175 )
176 )
177 and not profile.by_sender().any_messages_benign
178
179 // negate highly trusted sender domains unless they fail DMARC authentication
180 and (
181 (
182 sender.email.domain.root_domain in $high_trust_sender_root_domains
183 and not headers.auth_summary.dmarc.pass
184 )
185 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
186 )
187attack_types:
188 - "Credential Phishing"
189tactics_and_techniques:
190 - "Social engineering"
191detection_methods:
192 - "Natural Language Understanding"
193 - "Sender analysis"
194id: "bd95a7b1-dc96-53c1-bb7c-3a0f98b04744"