Credential phishing: Fake storage alerts (unsolicited)
This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.
Sublime rule (View on GitHub)
1name: "Credential phishing: Fake storage alerts (unsolicited)"
2description: "This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 0 < length(body.links) < 8
10 and any([subject.subject, sender.display_name],
11 regex.icontains(., "storage|mailbox")
12 )
13 )
14 or (
15 //
16 // This rule makes use of a beta feature and is subject to change without notice
17 // using the beta feature in custom rules is not suggested until it has been formally released
18 //
19 any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
20 .name == "cred_theft" and .confidence == "high"
21 )
22 and regex.icontains(beta.ocr(file.message_screenshot()).text,
23 "storage.{0,50}full",
24 "free.{0,50}upgrade",
25 "storage.{0,50}details",
26 "storage.{0,50}quot",
27 "email.{0,50}storage",
28 "total.{0,50}storage",
29 "storage.{0,50}limit"
30 )
31 and not strings.ilike(beta.ocr(file.message_screenshot()).text,
32 "*free plan*"
33 )
34 )
35 or (
36 any(body.links,
37 // fingerprints of a hyperlinked image
38 .display_text is null
39 and .display_url.url is null
40 and (
41 .href_url.domain.root_domain in $free_file_hosts
42 or .href_url.domain.root_domain == "beehiiv.com"
43 )
44 )
45 and length(attachments) == 1
46 and all(attachments,
47 .file_type in $file_types_images
48 and .size > 2000
49 and any(file.explode(.),
50 regex.icontains(.scan.ocr.raw,
51 "storage.{0,50}full",
52 "free.{0,50}upgrade",
53 "storage.{0,50}details",
54 "storage.{0,50}quot",
55 "email.{0,50}storage",
56 "total.{0,50}storage"
57 )
58 )
59 )
60 )
61 )
62 and (
63 regex.icontains(subject.subject, '\bfull\b')
64 or strings.icontains(subject.subject, "exceeded")
65 or strings.icontains(subject.subject, "out of")
66 or strings.icontains(subject.subject, "mailbox")
67 or strings.icontains(subject.subject, "icloud")
68 or regex.icontains(subject.subject, '\blimit(?:ed|\b)')
69 or strings.icontains(subject.subject, "all storage used")
70 or strings.icontains(subject.subject, "compliance")
71 or strings.icontains(subject.subject, "max storage")
72 or strings.icontains(subject.subject, "storage space")
73 or strings.icontains(subject.subject, "be deleted")
74 or strings.icontains(subject.subject, "action required")
75 or strings.icontains(subject.subject, "undelivered messages")
76 or strings.icontains(subject.subject, "review storage")
77 or regex.icontains(subject.subject, "upgrade (today|now)")
78 )
79
80 // negate customer service requests about storage
81 and not any(ml.nlu_classifier(body.current_thread.text).topics,
82 .name == "Customer Service and Support" and .confidence == "high"
83 )
84
85 // negate links to loopnet.com - a popular commerical property listing service
86 and not (any(body.links, .href_url.domain.root_domain == "loopnet.com"))
87
88 // negate legitimate sharepoint storage alerts
89 and (
90 (
91 sender.email.email == "no-reply@sharepointonline.com"
92 and not headers.auth_summary.dmarc.pass
93 and (
94 not all(body.links,
95 .href_url.domain.root_domain in~ (
96 "sharepoint.com",
97 "microsoft.com",
98 "aka.ms"
99 )
100 )
101 )
102 )
103 or sender.email.email != "no-reply@sharepointonline.com"
104 )
105
106 // negate legitimate iCloud China storage alerts
107 and (
108 (
109 sender.email.email == "noreply@icloud.com.cn"
110 and not headers.auth_summary.dmarc.pass
111 and (
112 not all(body.links,
113 .href_url.domain.root_domain in~ ("icloud.com", "aka.ms")
114 )
115 )
116 )
117 or sender.email.email != "noreply@icloud.com.cn"
118 )
119
120 // negate bouncebacks and undeliverables
121 and not any(attachments,
122 .content_type in (
123 "message/global-delivery-status",
124 "message/delivery-status",
125 )
126 or (
127 .content_type == "message/rfc822"
128 and any(file.parse_eml(.).attachments,
129 .content_type in (
130 "message/global-delivery-status",
131 "message/delivery-status",
132 )
133 )
134 )
135 )
136
137 // negate highly trusted sender domains unless they fail DMARC authentication
138 and (
139 (
140 sender.email.domain.root_domain in $high_trust_sender_root_domains
141 and not headers.auth_summary.dmarc.pass
142 )
143 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
144 )
145 and (
146 not profile.by_sender().solicited
147 or profile.by_sender().any_messages_malicious_or_spam
148 )
149 // negate instances where proofpoint sends a review of a reported message via analyzer
150 and not (
151 sender.email.email == "analyzer@analyzer.securityeducation.com"
152 and any(headers.domains, .root_domain == "pphosted.com")
153 and headers.auth_summary.spf.pass
154 and headers.auth_summary.dmarc.pass
155 )
156attack_types:
157 - "Credential Phishing"
158tactics_and_techniques:
159 - "Social engineering"
160detection_methods:
161 - "Content analysis"
162 - "Sender analysis"
163
164id: "750f04d6-f68a-564c-9e41-c1e5a58df28f"