Commonly abused sender TLD with engaging language
Message is from a commonly abused sender TLD, contains various suspicious indicators resembling credential theft, and is unsolicited.
Sublime rule (View on GitHub)
1name: "Commonly abused sender TLD with engaging language"
2description: |
3 Message is from a commonly abused sender TLD, contains various suspicious indicators resembling credential theft, and is unsolicited.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8
9 // we don't do a suspicious link check here
10 // because we are seeing abuse of mass marketing tools
11 // like campaign[.]adobe[.]com
12 // once we roll out better support for unfurling those,
13 // we can update this logic
14 and length(body.links) > 0
15
16 // commonly abused sender TLD
17 and strings.ilike(sender.email.domain.tld, "*.jp")
18 and 3 of (
19 // language attempting to engage
20 any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request"),
21
22 // financial request
23 any(ml.nlu_classifier(body.current_thread.text).entities,
24 .name == "financial"
25 ),
26
27 // urgency request
28 any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency"),
29
30 // known suspicious pattern in the URL path
31 any(body.links, regex.match(.href_url.path, '\/[a-z]{3}\d[a-z]')),
32
33 // suspicious image that's most likely cred_theft
34 any(attachments,
35 .file_type in $file_types_images
36 and any(file.explode(.),
37 any(ml.nlu_classifier(.scan.ocr.raw).intents,
38 .name == "cred_theft"
39 )
40 or any(ml.nlu_classifier(.scan.ocr.raw).entities,
41 .name == "financial"
42 )
43 )
44 ),
45
46 // recipient's SLD is in the sender's display name
47 any(recipients.to,
48 strings.icontains(sender.display_name, .email.domain.sld)
49 and (
50 .email.domain.valid or strings.icontains(.display_name, "undisclosed")
51 )
52 ),
53
54 // recipient's email address in the subject
55 any(recipients.to,
56 strings.icontains(subject.subject, .email.email)
57 and (
58 .email.domain.valid or strings.icontains(.display_name, "undisclosed")
59 )
60 ),
61 )
62 and (
63 not profile.by_sender().solicited
64 or (
65 profile.by_sender().any_messages_malicious_or_spam
66 and not profile.by_sender().any_messages_benign
67 )
68 )
69 and not sender.email.domain.root_domain in ("amazon.co.jp")
70 // negate highly trusted sender domains unless they fail DMARC authentication
71 and (
72 (
73 sender.email.domain.root_domain in $high_trust_sender_root_domains
74 and not headers.auth_summary.dmarc.pass
75 )
76 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
77 )
78
79attack_types:
80 - "Credential Phishing"
81tactics_and_techniques:
82 - "Social engineering"
83detection_methods:
84 - "File analysis"
85 - "Natural Language Understanding"
86 - "Optical Character Recognition"
87 - "Sender analysis"
88 - "URL analysis"
89id: "447386dc-e748-5aca-8da4-a3d15345550c"