Credential Phishing: Fake Password Expiration from New and Unsolicited sender

This rule looks for password expiration verbiage in the subject and body. Requiring between 1 - 9 links, a short body, and NLU in addition to statically specified term anchors. High trust senders are also negated.

Sublime rule (View on GitHub)

 1name: "Credential Phishing: Fake Password Expiration from New and Unsolicited sender"
 2description: "This rule looks for password expiration verbiage in the subject and body. Requiring between 1 - 9 links, a short body, and NLU in addition to statically specified term anchors. High trust senders are also negated."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // few links
 9  and 0 < length(body.links) < 10
10  
11  // no attachments
12  and length(attachments) == 0
13  
14  // body contains expire, expiration, loose, lose 
15  and regex.icontains(body.current_thread.text, '(expir(e)?ation|lo(o)?se)')
16  
17  // subject or body contains account or access
18  and any([subject.subject, body.current_thread.text],
19          regex.icontains(body.current_thread.text, "account|access")
20  )
21  
22  // subject or body must contains password
23  and any([subject.subject, body.current_thread.text],
24          regex.icontains(body.current_thread.text, '\bpassword\b')
25  )
26  and any(ml.nlu_classifier(body.current_thread.text).intents,
27          .name == "cred_theft" and .confidence == "high"
28  )
29  
30  // body length between 600 and 2000
31  and 600 < length(body.current_thread.text) < 2000
32  
33  // and no false positives and not solicited
34  and (
35    not profile.by_sender().any_false_positives
36    and not profile.by_sender().solicited
37  )
38  
39  // not a reply
40  and (
41    length(headers.references) == 0
42    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
43  )
44  
45  
46  // negate highly trusted sender domains unless they fail DMARC authentication
47  and (
48    (
49      sender.email.domain.root_domain in $high_trust_sender_root_domains
50      and (
51        any(distinct(headers.hops, .authentication_results.dmarc is not null),
52            strings.ilike(.authentication_results.dmarc, "*fail")
53        )
54      )
55    )
56    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
57  )  
58
59attack_types:
60  - "Credential Phishing"
61tactics_and_techniques:
62  - "Social engineering"
63detection_methods:
64  - "Content analysis"
65  - "Natural Language Understanding"
66  - "Sender analysis"
67id: "5d9c3a75-5f57-5d0c-a07f-0f300bbde076"
to-top