Fake voicemail notification (untrusted sender)

calendar Jul 12, 2024  ·
Share on: linkedin copy

This rule detects a common credential phishing vector enticing the user to engage with links under the premise that they have a voicemail to retrieve. The rule looks for voicemail verbiage in the display name, body, subject or a combination of those elements with emojis or a medium to high credential theft NLU Intent from first-time + unsolicited sender.

Sublime rule (View on GitHub)

  1name: "Fake voicemail notification (untrusted sender)"
  2description: |
  3  This rule detects a common credential phishing vector enticing the user to engage with links under the premise that they have a voicemail to retrieve.
  4  The rule looks for voicemail verbiage in the display name, body, subject or a combination of those elements with emojis or a medium to high credential theft NLU Intent from first-time + unsolicited sender.  
  5type: "rule"
  6severity: "medium"
  7source: |
  8  type.inbound
  9  and length(body.links) < 5
 10  // voicemail related
 11  and (
 12    any([subject.subject, sender.display_name, ],
 13        regex.icontains(.,
 14                        '(voice|audio|call|missed|caii)(\s?|-)(mail|message|recording|call|caii)|transcription|open mp3|playback|\([0-9]{3}\).(\*\*\*|[0-9]{3}).\*\*\*'
 15        )
 16        or regex.icontains(body.current_thread.text,
 17                           '(voice|audio|call|missed|caii)(\s?|-)(mail|message|recording|call|caii)|transcription|open mp3|\([0-9]{3}\).(\*\*\*|[0-9]{3}).\*\*\*'
 18        )
 19    )
 20  )
 21  and 2 of (
 22    (
 23      any(ml.nlu_classifier(body.current_thread.text).intents,
 24          .name in ("cred_theft") and .confidence in ("medium", "high")
 25      )
 26    ),
 27    (
 28      any(attachments,
 29          .content_type in ("html", "text")
 30          and any(ml.logo_detect(file.html_screenshot(.)).brands,
 31                  .name in ("Microsoft") and .confidence in ("medium", "high")
 32          )
 33      )
 34    ),
 35    (
 36      regex.icontains(sender.display_name,
 37                      '(voice|audio|call|missed|caii)(\s?|-)(mail|message|recording|call|caii)|transcription'
 38      )
 39    ),
 40    (
 41      length(body.current_thread.text) < 700
 42      and regex.icontains(body.current_thread.text,
 43                          'Méssãge|Méssage|Recéived|Addréss'
 44      )
 45    ),
 46    (
 47      // sender domain matches no body domains
 48      all(body.links,
 49          .href_url.domain.root_domain != sender.email.domain.root_domain
 50          and .href_url.domain.root_domain not in $org_domains
 51          and .href_url.domain.root_domain not in (
 52            "unitelvoice.com",
 53            "googleapis.com",
 54            "dialmycalls.com",
 55            "ringcentral.biz"
 56          )
 57      )
 58    ),
 59    (
 60      any(body.links,
 61          regex.contains(.display_text, '[^a-z]*[A-Z][^a-z]*')
 62          and regex.icontains(.display_text,
 63                              '(voice|audio|call|missed|caii)(\s?|-)(mail|message|recording|call|caii)|transcription|open mp3|audio note'
 64          )
 65      )
 66    ),
 67    (
 68      any(body.links,
 69          .href_url.path == "/ctt"
 70          and regex.icontains(.display_text,
 71                              '(voice|audio|call|missed|caii)(\s?|-)(mail|message|recording|call|caii)|transcription|open mp3|audio note'
 72          )
 73      )
 74    ),
 75    (
 76      any(body.links,
 77          network.whois(.href_url.domain).days_old < 10
 78          and not strings.icontains(.href_url.path, "unsubscribe")
 79      )
 80    ),
 81    (
 82      // recipient's SLD is in the sender's display name
 83      any(recipients.to,
 84          strings.icontains(sender.display_name, .email.domain.sld)
 85      )
 86    ),
 87    (
 88      any([sender.display_name, subject.subject],
 89          regex.contains(.,
 90                         '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
 91          )
 92      )
 93    ),
 94  )
 95  
 96  // negating legit replies and legitimate audio file attachments and known voicemail senders
 97  and sender.email.domain.root_domain not in (
 98    "magicjack.com",
 99    "unitelvoice.com",
100    "voipinterface.net",
101    "ringcentral.biz"
102  )
103  and not any(attachments, strings.starts_with(.content_type, "audio"))
104  and not (
105    (
106      strings.istarts_with(subject.subject, "RE:")
107      // out of office auto-reply
108      // the NLU model will handle these better natively soon
109      or strings.istarts_with(subject.subject, "Automatic reply:")
110    )
111    and (
112      length(headers.references) > 0
113      or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
114    )
115  )
116  and (
117    (
118      profile.by_sender().prevalence in ("new", "outlier")
119      and not profile.by_sender().solicited
120    )
121    or (
122      profile.by_sender().any_messages_malicious_or_spam
123      and not profile.by_sender().any_false_positives
124    )
125  )  
126
127attack_types:
128  - "Credential Phishing"
129tactics_and_techniques:
130  - "Social engineering"
131detection_methods:
132  - "Content analysis"
133  - "Natural Language Understanding"
134  - "Sender analysis"
135  - "URL analysis"
136id: "74ba7787-e543-5ce8-b6eb-e1ecdb8f1d67"
to-top