Fake voicemail notification (untrusted sender)
This rule detects a common credential phishing vector enticing the user to engage with links under the premise that they have a voicemail to retrieve. The rule looks for voicemail verbiage in the display name, body, subject or a combination of those elements with emojis or a medium to high credential theft NLU Intent from first-time + unsolicited sender.
Sublime rule (View on GitHub)
1name: "Fake voicemail notification (untrusted sender)"
2description: |
3 This rule detects a common credential phishing vector enticing the user to engage with links under the premise that they have a voicemail to retrieve.
4 The rule looks for voicemail verbiage in the display name, body, subject or a combination of those elements with emojis or a medium to high credential theft NLU Intent from first-time + unsolicited sender.
5type: "rule"
6severity: "medium"
7source: |
8 type.inbound
9 // contains links or attachments
10 and (0 < length(body.links) <= 15 or 0 < length(attachments) <= 3)
11 // the subject or display_name need some keywords which are voicemail related
12 and (
13 any([subject.subject, sender.display_name],
14 regex.icontains(.,
15 // split phrases that occur within 3 words between or only punctuation between them
16 '(?:v[nm](\b|[[:punct:]])|\bvoice(?:mail|message)?|audio|missed(?:\sa\s)?|left( a)?|wireless)(?:\w+(\s\w+)?|[[:punct:]]+|\s+){0,3}(?:mail|message|msg|recording|received|notif|support|call\d*\b|ca[il][il](?:er)?|log|transcript(?:ion)?\b)',
17 // strong phrases
18 '(?:open mp3|audio note|\.wav|left a vm|unanswered.*call|incoming.vm|left msg|wireless caller|VM Service|voice message|missed.called|call.(?:support|service)(?: for| log)?|missed.{0,10} VM|new voicemail from|new.v.m.from.\+?\d+|new voicemail?(?:\w+(\s\w+)?|[[:punct:]]+|\s+){0,3}transcript(s|ion)?|message received)',
19 'ca[li][li](?:er)?(?:\w+(\s\w+)?|[[:punct:]]+|\s+){0,3}(?:playback|transcript)',
20 // obfuscated phone number with at least one digit in the area code and at least one obfuscated number in the last group
21 // 555-555-555X, 555-555-XXXX, 555-5XX-XXXX
22 '\b1?\(?(\d{3}|\d{2}[\*X]|\d[\*X]{2})\)?[^a-z0-9]{0,2}(\d{2,3}|\d{2}[\*X]|\d[\*X]{2}|[\*X]{2,3})[^a-z0-9]{0,4}(\d{3}[\*X]|\d{2}[\*X]{2}|\d[\*X]{3}|[\*X]{3,4})[^0-9]',
23 // obfuscated phone number with at least one digit in the prefix
24 // XXX-555-5555, XXX-5XX-XXXX
25 '\b1?\(?(\d{2}[\*X]|\d[\*X]{2}|[\*X]{2,3})\)?[^a-z0-9]{0,2}(\d{2,3}|\d{2}[\*X]|\d[\*X]{2})[^a-z0-9]{0,4}(\d{4}|\d{3}[\*X]|\d{2}[\*X]{2}|\d[\*X]{3}|[\*X]{3,4})\b',
26 )
27 )
28 // body.current_thread.text inspection should be very specific to avoid FP
29 or regex.icontains(
30 strings.replace_confusables(body.current_thread.text),
31 //body.current_thread.text,
32 'you (?:have |received )*(?:\w+(\s\w+)?|[[:punct:]]+|\s+){0,3}\bvoice(?:mail|audio)? (?: message)?',
33 'sent (?:from|by) (?:your )?voice (?:mail )?system',
34 'new (?:voice(?:mail)?|audio) (?:message|notification|record)',
35 'voicemail (is )?attached',
36 'a new encrypted voicemail',
37 'Your have incoming voiceRec',
38 "you(?:\'ve| have) a (?:new )?missed call",
39 'New Voicemail Received',
40 'left you a (?:\w+(\s\w+)?|[[:punct:]]+|\s+){0,3}(?:voice(?:mail)?|audio)(?: message)?',
41 'New missed call record',
42 'voicemail transcript(?:ion)?',
43 'Listen to VoiceMail'
44 )
45 // phishing template observed https://platform.sublime.security/messages/341eed2be003036cdd3eeee575202df8a7472b6567d0dfa0f99c3b3fb42a8e7f
46 or strings.icontains(body.html.raw, '<title>Voicemail Notification</title>')
47 or strings.icontains(body.html.raw, '<!-- Voicemail phone logo')
48 )
49
50 and 2 of (
51 (
52 // the sender is a freemail
53 sender.email.domain.root_domain in $free_email_providers
54 ),
55 (
56 any(ml.nlu_classifier(body.current_thread.text).intents,
57 .name in ("cred_theft") and .confidence in ("medium", "high")
58 )
59 ),
60 (
61 any(attachments,
62 .content_type in ("html", "text", "text/html")
63 and any(ml.logo_detect(file.html_screenshot(.)).brands,
64 .name in ("Microsoft") and .confidence in ("medium", "high")
65 )
66 )
67 ),
68 (
69 regex.icontains(sender.display_name,
70 '(voice|audio|call|missed|caii)(\s?|-)(mail|message|recording|call|caii)|(transcription|Caller.?ID)'
71 )
72 ),
73 // attachment names are often HTML and voice mail related
74 (
75 any(attachments,
76 (
77 .content_type in ("html", "text", "text/html")
78 or .file_type in ("html", "unknown")
79 or .file_type == "pdf"
80 )
81 and (
82 regex.icontains(.file_name,
83 '(?:voice|audio|call|missed|caii|mail|message|recording|call|caii|transcription|v[nm]|audio|play|listen|unheard|msg)',
84 // contains a time
85 // 01min , 60secs
86 '0?[1-9]\s*min(?:(?:ute)?s)?',
87 '\d{1,2}\s*s(?:ec(?:ond)?s)?',
88 // (00:50s)
89 // 3:26 seconds
90 '[\(\[]?(?:\d{1,2}[\:\s-])\d{1,2}[\)\]]?\s*(?:s(?:(?:ecs?)onds)?)[\)\]]?',
91 // 03min25secs
92 '0?[1-9]\s*min(?:(?:ute)?s)?\d{1,2}\s*s(?:ec(?:ond)?s)?',
93 // [0:39]
94 // (0:39)
95 '[\(\[](?:\d{1,2}[\:\s-])\d{1,2}[\)\]]\s',
96 // contains an emoji
97 '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
98 )
99 // somtimes there is no name, it's just the extension which is also strange
100 or .file_name in~ (".htm", ".html")
101 // or sometimes it has no name....
102 or .file_name is null
103 )
104 )
105 ),
106 // html attachment is small and contains javascript
107 (
108 any(attachments,
109 (
110 .content_type in ("html", "text", "text/html")
111 or .file_type in ("html", "unknown")
112 )
113 and (.size < 1500 and any(file.explode(.), length(.scan.html.scripts) > 0)
114 )
115 )
116 ),
117 (
118 any(attachments,
119 (
120 .content_type in ("html", "text", "text/html")
121 or .file_type in ("html", "unknown")
122 )
123 and any(recipients.to,
124 // the html attachment contains a receipient email address
125 strings.contains(file.parse_html(..).raw, .email.email)
126 // the sld of the domain is in the attachment name
127 or strings.contains(..file_name, .email.domain.sld)
128 )
129 )
130 ),
131 // the body links contain the recipients email
132 (
133 length(filter(recipients.to, .email.email != "" or .email.domain.valid)) > 0
134 and any(body.links,
135 any(recipients.to,
136 strings.icontains(..href_url.url, .email.email)
137 or strings.icontains(..href_url.url, .email.local_part)
138 )
139 )
140 ),
141 (
142 length(body.current_thread.text) < 700
143 and regex.icontains(body.current_thread.text,
144 'Méssãge|Méssage|Recéived|Addréss'
145 )
146 ),
147 (
148 // sender domain matches no body domains
149 // only inspect "links" that have a display_text and display_url is null to remove "plain text" email address from being caught
150 length(filter(body.links,
151 .display_text is not null and .display_url.url is null and .href_url.domain.valid
152 )
153 ) > 0
154 and all(filter(body.links,
155 .display_text is not null and .display_url.url is null and .href_url.domain.valid
156 ),
157 .href_url.domain.root_domain != sender.email.domain.root_domain
158 and .href_url.domain.root_domain not in $org_domains
159 and .href_url.domain.root_domain not in ("aka.ms")
160 and .href_url.domain.root_domain not in (
161 "unitelvoice.com",
162 "googleapis.com",
163 "dialmycalls.com",
164 "ringcentral.biz"
165 )
166 )
167 ),
168 // the body links contain vm related phrases
169 (
170 any(body.links,
171 regex.contains(.display_text, '[^a-z]*[A-Z][^a-z]*')
172 and regex.icontains(.display_text,
173 '(v[nm]|voice|audio|call|missed|caii)(\s?|-)(mail|message|recording|call|caii)|transcription|open mp3|audio note|listen|playback|\(?(?:\*\*\*|[0-9]{3})?.(?:\*\*\*|[0-9]{3})[^a-z]{0,2}(?:\*{4}|\d+\*+)|play'
174 )
175 // negate FP terms in link display texts
176 and not strings.icontains(.display_text, 'voice call center')
177 )
178 ),
179 (
180 any(body.links,
181 .href_url.path == "/ctt"
182 and regex.icontains(.display_text,
183 '(v[nm]|voice|audio|call|missed|caii)(\s?|-)(mail|message|recording|call|caii)|transcription|open mp3|audio note|listen|playback|\(?(?:\*\*\*|[0-9]{3})?.(?:\*\*\*|[0-9]{3})[^a-z]{0,2}(?:\*{4}|\d+\*+)|play'
184 )
185 // negate FP terms in link display texts
186 and not strings.icontains(.display_text, 'voice call center')
187 )
188 ),
189 // new domains
190 (
191 any(body.links,
192 network.whois(.href_url.domain).days_old < 10
193 and not strings.icontains(.href_url.path, "unsubscribe")
194 )
195 ),
196 (
197 any(recipients.to,
198 // recipient's SLD is in the sender's display name
199 strings.icontains(sender.display_name, .email.domain.sld)
200 // recipient's SLD is in the sender's display name
201 or strings.icontains(subject.subject, .email.domain.sld)
202 )
203 ),
204 // often times the subject or sender display name will contain time references
205 (
206 any([sender.display_name, subject.subject, body.current_thread.text],
207 regex.icontains(.,
208 // 01min , 60secs
209 '0?[1-9]\s*min(?:(?:ute)?s)?\b',
210 '\d{1,2}\s*s(?:ec(?:ond)?s)?\b',
211 // (00:50s)
212 // 3:26 seconds
213 '[\(\[]?(?:\d{1,2}[\:\s-])\d{1,2}[\)\]]?\s*(?:s(?:(?:ecs?)onds)?)[\)\]]?',
214 // 03min25secs
215 '0?[1-9]\s*min(?:(?:ute)?s)?\d{1,2}\s*s(?:ec(?:ond)?s)?',
216 // [0:39]
217 // (0:39)
218 '[\(\[](?:\d{1,2}[\:\s-])\d{1,2}[\)\]]\s'
219 )
220 )
221 ),
222 // often times the subject or sender display name will contain dates
223 (
224 any([sender.display_name, subject.subject],
225 // days of week
226 any([
227 'monday',
228 'tuesday',
229 'wednesday',
230 'thursday',
231 'friday',
232 'saturday',
233 'sunday'
234 ],
235 strings.icontains(.., .)
236 )
237 // months
238 // may is problematic for words like "Mayor", "Maybe", "MayFlower", etc
239 or any([
240 "January",
241 "February",
242 "March",
243 "April",
244 "June",
245 "July",
246 "August",
247 "September",
248 "October",
249 "November",
250 "December"
251 ],
252 strings.icontains(.., .)
253 )
254 // use a regex for May
255 or regex.icontains(., '\bmay\b')
256 // common date formats
257 or regex.contains(.,
258 // YYYY-MM-DD or YY-MM-DD (ISO 8601 format)
259 '\d{2}(\d{2})?-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01])',
260 // MM/DD/YYYY or MM/DD/YY (US format)
261 '(0[1-9]|1[0-2])/(0[1-9]|[12]\d|3[01])/\d{2}(\d{2})?',
262 // DD/MM/YYYY or DD/MM/YY (European format)
263 '(0[1-9]|[12]\d|3[01])/(0[1-9]|1[0-2])/\d{2}(\d{2})?',
264 // Month DD, YYYY or Month DD, YY (e.g., March 15, 2024 or March 15, 24)
265 '(January|February|March|April|May|June|July|August|September|October|November|December) (0[1-9]|[12]\d|3[01]), \d{2}(\d{2})?'
266 )
267 // common time formats
268 or regex.contains(.,
269 // Example: 23:45, 08:30
270 '([01]\d|2[0-3]):([0-5]\d)',
271 // Example: 23:45:59, 08:30:12
272 '([01]\d|2[0-3]):([0-5]\d):([0-5]\d)',
273 // Example: 08:30 AM, 12:45 pm
274 '(0[1-9]|1[0-2]):([0-5]\d)\s?([AaPp][Mm])',
275 // Example: 08:30 AM, 12:45 pm
276 '(0[1-9]|1[0-2]):([0-5]\d):([0-5]\d) ?([AaPp][Mm])'
277 )
278 )
279 ),
280 // there are often emoji in the sender display name
281 (
282 any([sender.display_name, subject.subject],
283 // contains an emoji
284 regex.contains(.,
285 '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
286 )
287 // negate where the emoji occur in tags
288 and not regex.contains(.,
289 '^(?:\[[^\]]*\]\s*)*\[[^\]]*[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}][^\]]*\]'
290 )
291 )
292 ),
293 // an attachment is a pdf or image that contains a url
294 (
295 1 <= length(attachments) <= 2
296 and any(attachments,
297 (.file_type in $file_types_images or .file_type == "pdf")
298 and any(file.explode(.),
299 .scan.qr.type == "url"
300 or strings.icontains(.scan.qr.data, 'http')
301 or any(recipients.to,
302 strings.icontains(..scan.qr.data, .email.local_part)
303 or strings.icontains(..scan.qr.data, .email.email)
304 )
305 )
306 )
307 )
308 )
309
310 // negating legit replies and legitimate audio file attachments and known voicemail senders
311 and not (
312 sender.email.domain.valid
313 and sender.email.domain.root_domain in (
314 "magicjack.com",
315 "unitelvoice.com",
316 "voipinterface.net",
317 "ringcentral.biz",
318 "verizonwireless.com",
319 "t-mobile.com"
320 )
321 )
322 and not any(attachments, strings.starts_with(.content_type, "audio"))
323 and not (
324 (
325 strings.istarts_with(subject.subject, "RE:")
326 // out of office auto-reply
327 // the NLU model will handle these better natively soon
328 or strings.istarts_with(subject.subject, "Automatic reply:")
329 )
330 and (
331 length(headers.references) > 0
332 or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
333 )
334 )
335 and (
336 (
337 profile.by_sender().prevalence in ("new", "outlier")
338 and not profile.by_sender().solicited
339 )
340 or (
341 profile.by_sender().any_messages_malicious_or_spam
342 and not profile.by_sender().any_false_positives
343 )
344 )
345 // negate highly trusted sender domains unless they fail DMARC authentication
346 and (
347 (
348 sender.email.domain.root_domain in $high_trust_sender_root_domains
349 and not headers.auth_summary.dmarc.pass
350 )
351 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
352 )
353 // bounce-back negations
354 and not any(attachments,
355 any(file.parse_eml(.).attachments,
356 .content_type == "message/delivery-status"
357 )
358 )
359 // bounce-back negations
360 and not (
361 any(attachments,
362 .content_type in ("message/delivery-status", "text/calendar")
363 )
364 )
365 // negate bouncebacks from proofpoint
366 and not (
367 sender.display_name == "Mail Delivery Subsystem"
368 and strings.ends_with(headers.message_id, "pphosted.com>")
369 and any(headers.hops,
370 .index == 0 and strings.contains(.received.server.raw, "pphosted.com")
371 )
372 and any(attachments, .content_type == "message/rfc822")
373 )
374attack_types:
375 - "Credential Phishing"
376tactics_and_techniques:
377 - "Social engineering"
378detection_methods:
379 - "Content analysis"
380 - "Natural Language Understanding"
381 - "Sender analysis"
382 - "URL analysis"
383id: "74ba7787-e543-5ce8-b6eb-e1ecdb8f1d67"