Fake voicemail notification (unsolicited)

This rule detects a common credential phishing vector enticing the user to engage with links under the premise that they have a voicemail to retrieve. The rule looks for voicemail verbiage in the display name, body, subject or a combination of those elements with emojis or a medium to high credential theft NLU Intent from an unsolicited sender.

Sublime rule (View on GitHub)

 1name: "Fake voicemail notification (unsolicited)"
 2description: |
 3  This rule detects a common credential phishing vector enticing the user to engage with links under the premise that they have a voicemail to retrieve.
 4  The rule looks for voicemail verbiage in the display name, body, subject or a combination of those elements with emojis or a medium to high credential theft NLU Intent from an unsolicited sender.  
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9  and length(body.links) < 5
10  // voicemail related
11  and (
12    any([subject.subject, sender.display_name, ],
13        regex.icontains(., '(voice)\s?(mail|message|recording|call)|transcription')
14        or regex.contains(body.current_thread.text, '(voice)\s?(mail|message|recording|call)')
15    )
16  )
17    and 2 of (
18      (
19        any(ml.nlu_classifier(body.current_thread.text).intents,
20            .name in ("cred_theft") and .confidence in ("medium", "high")
21        )
22      ),
23      (regex.icontains(sender.display_name, 'voice\s?(mail|message|recording|call|transcription)')),
24      (
25        // sender domain matches no body domains
26        all(body.links,
27            .href_url.domain.root_domain != sender.email.domain.root_domain
28            and .href_url.domain.root_domain not in $org_domains
29            and .href_url.domain.root_domain not in (
30              "unitelvoice.com",
31              "googleapis.com",
32              "dialmycalls.com"
33            )
34        )
35      ),
36      (
37        // recipient's SLD is in the sender's display name
38        any(recipients.to, strings.icontains(sender.display_name, .email.domain.sld))
39      ),
40      (
41        any([sender.display_name, subject.subject, body.current_thread.text],
42            regex.contains(.,
43                           '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
44            )
45        )
46      ),
47    )
48    and (
49      sender.email.domain.root_domain not in ("magicjack.com", "unitelvoice.com", "voipinterface.net")
50      or not any(attachments, strings.starts_with(.content_type, "audio"))
51    )
52  
53    // negating legit replies
54    and not (
55      (
56        strings.istarts_with(subject.subject, "RE:")
57        // out of office auto-reply
58        // the NLU model will handle these better natively soon
59        or strings.istarts_with(subject.subject, "Automatic reply:")
60      )
61      and (
62        length(headers.references) > 0
63        or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
64      )
65    )
66  
67  and (
68    (
69      sender.email.domain.root_domain in $free_email_providers
70      and sender.email.email not in $recipient_emails
71    )
72    or (
73      sender.email.domain.root_domain not in $free_email_providers
74      and sender.email.domain.domain not in $recipient_domains
75    )
76  )  
77attack_types:
78  - "Credential Phishing"
79tactics_and_techniques:
80  - "Social engineering"
81detection_methods:
82  - "Content analysis"
83  - "Natural Language Understanding"
84  - "Sender analysis"
85  - "URL analysis"
86id: "74ba7787-e543-5ce8-b6eb-e1ecdb8f1d67"
to-top