Credential phishing: Fake storage alerts (unsolicited)
This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.
Sublime rule (View on GitHub)
1name: "Credential phishing: Fake storage alerts (unsolicited)"
2description: "This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 0 < length(body.links) < 8
10 and any([subject.subject, sender.display_name],
11 regex.icontains(., "storage|mailbox")
12 )
13 )
14 or (
15 //
16 // This rule makes use of a beta feature and is subject to change without notice
17 // using the beta feature in custom rules is not suggested until it has been formally released
18 //
19 any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
20 .name == "cred_theft" and .confidence == "high"
21 )
22 and regex.icontains(beta.ocr(file.message_screenshot()).text,
23 "storage.{0,50}full",
24 "free.{0,50}upgrade",
25 "storage.{0,50}details",
26 "storage.{0,50}quot",
27 "email.{0,50}storage",
28 "total.{0,50}storage",
29 "storage.{0,50}limit"
30 )
31 and not strings.ilike(beta.ocr(file.message_screenshot()).text, "*free plan*")
32
33 )
34 or (
35 any(body.links,
36 // fingerprints of a hyperlinked image
37 .display_text is null
38 and .display_url.url is null
39 and (
40 .href_url.domain.root_domain in $free_file_hosts
41 or .href_url.domain.root_domain == "beehiiv.com"
42 )
43 )
44 and length(attachments) == 1
45 and all(attachments,
46 .file_type in $file_types_images
47 and .size > 2000
48 and any(file.explode(.),
49 regex.icontains(.scan.ocr.raw,
50 "storage.{0,50}full",
51 "free.{0,50}upgrade",
52 "storage.{0,50}details",
53 "storage.{0,50}quot",
54 "email.{0,50}storage",
55 "total.{0,50}storage"
56 )
57 )
58 )
59 )
60 )
61 and (
62 regex.icontains(subject.subject, '\bfull\b')
63 or strings.icontains(subject.subject, "exceeded")
64 or strings.icontains(subject.subject, "out of")
65 or strings.icontains(subject.subject, "mailbox")
66 or strings.icontains(subject.subject, "icloud")
67 or regex.icontains(subject.subject, '\blimit(?:ed|\b)')
68 or strings.icontains(subject.subject, "all storage used")
69 or strings.icontains(subject.subject, "compliance")
70 or strings.icontains(subject.subject, "max storage")
71 or strings.icontains(subject.subject, "storage space")
72 or strings.icontains(subject.subject, "be deleted")
73 or strings.icontains(subject.subject, "action required")
74 or strings.icontains(subject.subject, "undelivered messages")
75 or strings.icontains(subject.subject, "review storage")
76 or regex.icontains(subject.subject, "upgrade (today|now)")
77 )
78
79 // negate customer service requests about storage
80 and not any(ml.nlu_classifier(body.current_thread.text).topics,
81 .name == "Customer Service and Support" and .confidence == "high"
82 )
83
84 // negate links to loopnet.com - a popular commerical property listing service
85 and not (any(body.links, .href_url.domain.root_domain == "loopnet.com"))
86
87 // negate legitimate sharepoint storage alerts
88 and (
89 (
90 sender.email.email == "no-reply@sharepointonline.com"
91 and not headers.auth_summary.dmarc.pass
92 and (
93 not all(body.links,
94 .href_url.domain.root_domain in~ (
95 "sharepoint.com",
96 "microsoft.com",
97 "aka.ms"
98 )
99 )
100 )
101 )
102 or sender.email.email != "no-reply@sharepointonline.com"
103 )
104
105 // negate legitimate iCloud China storage alerts
106 and (
107 (
108 sender.email.email == "noreply@icloud.com.cn"
109 and not headers.auth_summary.dmarc.pass
110 and (
111 not all(body.links,
112 .href_url.domain.root_domain in~ ("icloud.com", "aka.ms")
113 )
114 )
115 )
116 or sender.email.email != "noreply@icloud.com.cn"
117 )
118
119 // negate bouncebacks and undeliverables
120 and not any(attachments,
121 .content_type in (
122 "message/global-delivery-status",
123 "message/delivery-status",
124 )
125 or (
126 .content_type == "message/rfc822"
127 and any(file.parse_eml(.).attachments,
128 .content_type in (
129 "message/global-delivery-status",
130 "message/delivery-status",
131 )
132 )
133 )
134 )
135
136 // negate highly trusted sender domains unless they fail DMARC authentication
137 and (
138 (
139 sender.email.domain.root_domain in $high_trust_sender_root_domains
140 and not headers.auth_summary.dmarc.pass
141 )
142 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
143 )
144 and (
145 not profile.by_sender().solicited
146 or profile.by_sender().any_messages_malicious_or_spam
147 )
148 // negate instances where proofpoint sends a review of a reported message via analyzer
149 and not (
150 sender.email.email == "analyzer@analyzer.securityeducation.com"
151 and any(headers.domains, .root_domain == "pphosted.com")
152 and headers.auth_summary.spf.pass
153 and headers.auth_summary.dmarc.pass
154 )
155attack_types:
156 - "Credential Phishing"
157tactics_and_techniques:
158 - "Social engineering"
159detection_methods:
160 - "Content analysis"
161 - "Sender analysis"
162
163id: "750f04d6-f68a-564c-9e41-c1e5a58df28f"