Credential phishing: Fake storage alerts (unsolicited)

  1name: "Credential phishing: Fake storage alerts (unsolicited)"
  2description: "This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      0 < length(body.links) < 8
 10      and any([subject.subject, sender.display_name],
 11              regex.icontains(., "storage|mailbox")
 12      )
 13    )
 14    or (
 15      any(file.explode(file.message_screenshot()),
 16          any(ml.nlu_classifier(.scan.ocr.raw).intents,
 17              .name == "cred_theft" and .confidence == "high"
 18          )
 19          and regex.icontains(.scan.ocr.raw,
 20                              "storage.{0,50}full",
 21                              "free.{0,50}upgrade",
 22                              "storage.{0,50}details",
 23                              "storage.{0,50}quot",
 24                              "email.{0,50}storage",
 25                              "total.{0,50}storage"
 26          )
 27          and not strings.ilike(.scan.ocr.raw, "*free plan*")
 28      )
 29    )
 30    or (
 31      any(body.links,
 32          // fingerprints of a hyperlinked image
 33          .display_text is null
 34          and .display_url.url is null
 35          and (
 36            .href_url.domain.root_domain in $free_file_hosts
 37            or .href_url.domain.root_domain == "beehiiv.com"
 38          )
 39      )
 40      and length(attachments) == 1
 41      and all(attachments,
 42              .file_type in $file_types_images
 43              and .size > 2000
 44              and any(file.explode(.),
 45                      regex.icontains(.scan.ocr.raw,
 46                                      "storage.{0,50}full",
 47                                      "free.{0,50}upgrade",
 48                                      "storage.{0,50}details",
 49                                      "storage.{0,50}quot",
 50                                      "email.{0,50}storage",
 51                                      "total.{0,50}storage"
 52                      )
 53              )
 54      )
 55    )
 56  )
 57  and (
 58    regex.icontains(subject.subject, '\bfull\b')
 59    or strings.icontains(subject.subject, "exceeded")
 60    or strings.icontains(subject.subject, "out of")
 61    or strings.icontains(subject.subject, "icloud")
 62    or regex.icontains(subject.subject, '\blimit(?:ed|\b)')
 63    or strings.icontains(subject.subject, "all storage used")
 64    or strings.icontains(subject.subject, "compliance")
 65    or strings.icontains(subject.subject, "max storage")
 66    or strings.icontains(subject.subject, "storage space")
 67    or strings.icontains(subject.subject, "be deleted")
 68    or strings.icontains(subject.subject, "action required")
 69    or strings.icontains(subject.subject, "review storage")
 70  )
 71  
 72  // negate customer service requests about storage
 73  and not any(ml.nlu_classifier(body.current_thread.text).topics,
 74              .name == "Customer Service and Support" and .confidence == "high"
 75  )
 76  
 77  // negate links to loopnet.com - a popular commerical property listing service
 78  and not (any(body.links, .href_url.domain.root_domain == "loopnet.com"))
 79  
 80  // negate legitimate sharepoint storage alerts
 81  and (
 82    (
 83      sender.email.email == "no-reply@sharepointonline.com"
 84      and not headers.auth_summary.dmarc.pass
 85      and (
 86        not all(body.links,
 87                .href_url.domain.root_domain in~ (
 88                  "sharepoint.com",
 89                  "microsoft.com",
 90                  "aka.ms"
 91                )
 92        )
 93      )
 94    )
 95    or sender.email.email != "no-reply@sharepointonline.com"
 96  )
 97  
 98  // negate legitimate iCloud China storage alerts
 99  and (
100    (
101      sender.email.email == "noreply@icloud.com.cn"
102      and not headers.auth_summary.dmarc.pass
103      and (
104        not all(body.links,
105                .href_url.domain.root_domain in~ ("icloud.com", "aka.ms")
106        )
107      )
108    )
109    or sender.email.email != "noreply@icloud.com.cn"
110  )
111  
112  // negate bouncebacks and undeliverables
113  and not any(attachments,
114              .content_type in (
115                "message/global-delivery-status",
116                "message/delivery-status",
117              )
118              or (
119                .content_type == "message/rfc822"
120                and any(file.parse_eml(.).attachments,
121                        .content_type in (
122                          "message/global-delivery-status",
123                          "message/delivery-status",
124                        )
125                )
126              )
127  )
128  
129  // negate highly trusted sender domains unless they fail DMARC authentication
130  and (
131    (
132      sender.email.domain.root_domain in $high_trust_sender_root_domains
133      and not headers.auth_summary.dmarc.pass
134    )
135    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
136  )
137  and (
138    not profile.by_sender().solicited
139    or profile.by_sender().any_messages_malicious_or_spam
140  )
141  // negate instances where proofpoint sends a review of a reported message via analyzer 
142  and not (
143    sender.email.email == "analyzer@analyzer.securityeducation.com"
144    and any(headers.domains, .root_domain == "pphosted.com")
145    and headers.auth_summary.spf.pass
146    and headers.auth_summary.dmarc.pass
147  )  
148attack_types:
149  - "Credential Phishing"
150tactics_and_techniques:
151  - "Social engineering"
152detection_methods:
153  - "Content analysis"
154  - "Sender analysis"
155
156id: "750f04d6-f68a-564c-9e41-c1e5a58df28f"