Fake voicemail notification (untrusted sender)
This rule detects a common credential phishing vector enticing the user to engage with links under the premise that they have a voicemail to retrieve. The rule looks for voicemail verbiage in the display name, body, subject or a combination of those elements with emojis or a medium to high credential theft NLU Intent from first-time + unsolicited sender.
Sublime rule (View on GitHub)
1name: "Fake voicemail notification (untrusted sender)"
2description: |
3 This rule detects a common credential phishing vector enticing the user to engage with links under the premise that they have a voicemail to retrieve.
4 The rule looks for voicemail verbiage in the display name, body, subject or a combination of those elements with emojis or a medium to high credential theft NLU Intent from first-time + unsolicited sender.
5type: "rule"
6severity: "medium"
7source: |
8 type.inbound
9 and length(body.links) < 5
10 // voicemail related
11 and (
12 any([subject.subject, sender.display_name, ],
13 regex.icontains(.,
14 '(voice|audio|call|missed|caii)(\s?|-)(mail|message|recording|call|caii)|transcription|open mp3|playback|\([0-9]{3}\).(\*\*\*|[0-9]{3}).\*\*\*'
15 )
16 or regex.icontains(body.current_thread.text,
17 '(voice|audio|call|missed|caii)(\s?|-)(mail|message|recording|call|caii)|transcription|open mp3|\([0-9]{3}\).(\*\*\*|[0-9]{3}).\*\*\*'
18 )
19 )
20 )
21 and 2 of (
22 (
23 any(ml.nlu_classifier(body.current_thread.text).intents,
24 .name in ("cred_theft") and .confidence in ("medium", "high")
25 )
26 ),
27 (
28 any(attachments,
29 .content_type in ("html", "text")
30 and any(ml.logo_detect(file.html_screenshot(.)).brands,
31 .name in ("Microsoft") and .confidence in ("medium", "high")
32 )
33 )
34 ),
35 (
36 regex.icontains(sender.display_name,
37 '(voice|audio|call|missed|caii)(\s?|-)(mail|message|recording|call|caii)|transcription'
38 )
39 ),
40 (
41 length(body.current_thread.text) < 700
42 and regex.icontains(body.current_thread.text,
43 'Méssãge|Méssage|Recéived|Addréss'
44 )
45 ),
46 (
47 // sender domain matches no body domains
48 all(body.links,
49 .href_url.domain.root_domain != sender.email.domain.root_domain
50 and .href_url.domain.root_domain not in $org_domains
51 and .href_url.domain.root_domain not in (
52 "unitelvoice.com",
53 "googleapis.com",
54 "dialmycalls.com",
55 "ringcentral.biz"
56 )
57 )
58 ),
59 (
60 any(body.links,
61 regex.contains(.display_text, '[^a-z]*[A-Z][^a-z]*')
62 and regex.icontains(.display_text,
63 '(voice|audio|call|missed|caii)(\s?|-)(mail|message|recording|call|caii)|transcription|open mp3|audio note'
64 )
65 )
66 ),
67 (
68 any(body.links,
69 .href_url.path == "/ctt"
70 and regex.icontains(.display_text,
71 '(voice|audio|call|missed|caii)(\s?|-)(mail|message|recording|call|caii)|transcription|open mp3|audio note'
72 )
73 )
74 ),
75 (
76 any(body.links,
77 network.whois(.href_url.domain).days_old < 10
78 and not strings.icontains(.href_url.path, "unsubscribe")
79 )
80 ),
81 (
82 // recipient's SLD is in the sender's display name
83 any(recipients.to,
84 strings.icontains(sender.display_name, .email.domain.sld)
85 )
86 ),
87 (
88 any([sender.display_name, subject.subject],
89 regex.contains(.,
90 '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
91 )
92 )
93 ),
94 )
95
96 // negating legit replies and legitimate audio file attachments and known voicemail senders
97 and sender.email.domain.root_domain not in (
98 "magicjack.com",
99 "unitelvoice.com",
100 "voipinterface.net",
101 "ringcentral.biz"
102 )
103 and not any(attachments, strings.starts_with(.content_type, "audio"))
104 and not (
105 (
106 strings.istarts_with(subject.subject, "RE:")
107 // out of office auto-reply
108 // the NLU model will handle these better natively soon
109 or strings.istarts_with(subject.subject, "Automatic reply:")
110 )
111 and (
112 length(headers.references) > 0
113 or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
114 )
115 )
116 and (
117 (
118 profile.by_sender().prevalence in ("new", "outlier")
119 and not profile.by_sender().solicited
120 )
121 or (
122 profile.by_sender().any_messages_malicious_or_spam
123 and not profile.by_sender().any_false_positives
124 )
125 )
126
127attack_types:
128 - "Credential Phishing"
129tactics_and_techniques:
130 - "Social engineering"
131detection_methods:
132 - "Content analysis"
133 - "Natural Language Understanding"
134 - "Sender analysis"
135 - "URL analysis"
136id: "74ba7787-e543-5ce8-b6eb-e1ecdb8f1d67"