Credential phishing: Fake storage alerts (unsolicited)
This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.
Sublime rule (View on GitHub)
1name: "Credential phishing: Fake storage alerts (unsolicited)"
2description: "This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 0 < length(body.links) < 8
10 and any([subject.subject, sender.display_name],
11 regex.icontains(., "storage|mailbox")
12 )
13 )
14 or (
15 any(file.explode(beta.message_screenshot()),
16 any(ml.nlu_classifier(.scan.ocr.raw).intents,
17 .name == "cred_theft" and .confidence == "high"
18 )
19 and regex.icontains(.scan.ocr.raw,
20 "storage.{0,50}full",
21 "free.{0,50}upgrade",
22 "storage.{0,50}details",
23 "storage.{0,50}quot",
24 "email.{0,50}storage",
25 "total.{0,50}storage"
26 )
27 and not strings.ilike(.scan.ocr.raw, "*free plan*")
28 )
29 )
30 or (
31 any(body.links,
32 // fingerprints of a hyperlinked image
33 .display_text is null
34 and .display_url.url is null
35 and (
36 .href_url.domain.root_domain in $free_file_hosts
37 or .href_url.domain.root_domain == "beehiiv.com"
38 )
39 and length(attachments) ==1
40 and all(attachments,
41 .file_type in $file_types_images
42 and .size > 2000
43 and any(file.explode(.),
44 regex.icontains(.scan.ocr.raw,
45 "storage.{0,50}full",
46 "free.{0,50}upgrade",
47 "storage.{0,50}details",
48 "storage.{0,50}quot",
49 "email.{0,50}storage",
50 "total.{0,50}storage"
51 )
52 )
53 )
54 )
55 )
56 )
57 and (
58 regex.icontains(subject.subject, '\bfull\b')
59 or strings.icontains(subject.subject, "exceeded")
60 or strings.icontains(subject.subject, "out of")
61 or strings.icontains(subject.subject, "icloud")
62 or regex.icontains(subject.subject, '\blimit(?:ed|\b)')
63 or strings.icontains(subject.subject, "all storage used")
64 or strings.icontains(subject.subject, "compliance")
65 or strings.icontains(subject.subject, "max storage")
66 or strings.icontains(subject.subject, "storage space")
67 or strings.icontains(subject.subject, "be deleted")
68 or strings.icontains(subject.subject, "action required")
69 )
70 // negate links to loopnet.com - a popular commerical property listing service
71 and not (
72 any(body.links, .href_url.domain.root_domain == "loopnet.com")
73 )
74
75 // negate legitimate sharepoint storage alerts
76 and (
77 (
78 sender.email.email == "no-reply@sharepointonline.com"
79 and not headers.auth_summary.dmarc.pass
80 and (
81 not all(body.links,
82 .href_url.domain.root_domain in~ (
83 "sharepoint.com",
84 "microsoft.com",
85 "aka.ms"
86 )
87 )
88 )
89 )
90 or sender.email.email != "no-reply@sharepointonline.com"
91 )
92
93 // negate legitimate iCloud China storage alerts
94 and (
95 (
96 sender.email.email == "noreply@icloud.com.cn"
97 and not headers.auth_summary.dmarc.pass
98 and (
99 not all(body.links,
100 .href_url.domain.root_domain in~ (
101 "icloud.com",
102 "aka.ms"
103 )
104 )
105 )
106 )
107 or sender.email.email != "noreply@icloud.com.cn"
108 )
109
110 // negate bouncebacks and undeliverables
111 and not any(attachments,
112 .content_type in (
113 "message/global-delivery-status",
114 "message/delivery-status",
115 )
116 or (
117 .content_type == "message/rfc822"
118 and any(file.parse_eml(.).attachments,
119 .content_type in (
120 "message/global-delivery-status",
121 "message/delivery-status",
122 )
123 )
124 )
125 )
126
127 // negate highly trusted sender domains unless they fail DMARC authentication
128 and (
129 (
130 sender.email.domain.root_domain in $high_trust_sender_root_domains
131 and not headers.auth_summary.dmarc.pass
132 )
133 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
134 )
135 and (
136 not profile.by_sender().solicited
137 or profile.by_sender().any_messages_malicious_or_spam
138 )
139attack_types:
140 - "Credential Phishing"
141tactics_and_techniques:
142 - "Social engineering"
143detection_methods:
144 - "Content analysis"
145 - "Sender analysis"
146
147id: "750f04d6-f68a-564c-9e41-c1e5a58df28f"