Credential phishing: Fake storage alerts (unsolicited)

This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.

Sublime rule (View on GitHub)

  1name: "Credential phishing: Fake storage alerts (unsolicited)"
  2description: "This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      0 < length(body.links) < 8
 10      and any([subject.subject, sender.display_name],
 11              regex.icontains(., "storage|mailbox")
 12      )
 13    )
 14    or (
 15      any(file.explode(beta.message_screenshot()),
 16          any(ml.nlu_classifier(.scan.ocr.raw).intents,
 17               .name == "cred_theft" and .confidence == "high"
 18          )
 19          and regex.icontains(.scan.ocr.raw,
 20                            "storage.{0,50}full",
 21                            "free.{0,50}upgrade",
 22                            "storage.{0,50}details",
 23                            "storage.{0,50}quot",
 24                            "email.{0,50}storage",
 25                            "total.{0,50}storage"
 26          )
 27          and not strings.ilike(.scan.ocr.raw, "*free plan*")
 28      )
 29    )
 30    or (
 31      any(body.links,
 32          // fingerprints of a hyperlinked image
 33          .display_text is null
 34          and .display_url.url is null
 35          and (
 36            .href_url.domain.root_domain in $free_file_hosts
 37            or .href_url.domain.root_domain == "beehiiv.com"
 38          )
 39          and length(attachments) ==1
 40          and all(attachments,
 41                  .file_type in $file_types_images
 42                  and .size > 2000
 43                  and any(file.explode(.),
 44                          regex.icontains(.scan.ocr.raw,
 45                            "storage.{0,50}full",
 46                            "free.{0,50}upgrade",
 47                            "storage.{0,50}details",
 48                            "storage.{0,50}quot",
 49                            "email.{0,50}storage",
 50                            "total.{0,50}storage"
 51          )
 52                  )
 53          )
 54      )
 55    )
 56  )
 57  and (
 58    regex.icontains(subject.subject, '\bfull\b')
 59    or strings.icontains(subject.subject, "exceeded")
 60    or strings.icontains(subject.subject, "out of")
 61    or strings.icontains(subject.subject, "icloud")
 62    or regex.icontains(subject.subject, '\blimit(?:ed|\b)')
 63    or strings.icontains(subject.subject, "all storage used")
 64    or strings.icontains(subject.subject, "compliance")
 65    or strings.icontains(subject.subject, "max storage")
 66    or strings.icontains(subject.subject, "storage space")
 67    or strings.icontains(subject.subject, "be deleted")
 68    or strings.icontains(subject.subject, "action required")
 69  )
 70  // negate links to loopnet.com - a popular commerical property listing service
 71  and not (
 72      any(body.links, .href_url.domain.root_domain == "loopnet.com")
 73  )
 74  
 75  // negate legitimate sharepoint storage alerts
 76  and (
 77    (
 78      sender.email.email == "no-reply@sharepointonline.com"
 79      and not headers.auth_summary.dmarc.pass
 80      and (
 81        not all(body.links,
 82                .href_url.domain.root_domain in~ (
 83                  "sharepoint.com",
 84                  "microsoft.com",
 85                  "aka.ms"
 86                )
 87        )
 88      )
 89    )
 90    or sender.email.email != "no-reply@sharepointonline.com"
 91  )
 92  
 93  // negate legitimate iCloud China storage alerts
 94  and (
 95    (
 96      sender.email.email == "noreply@icloud.com.cn"
 97      and not headers.auth_summary.dmarc.pass
 98      and (
 99        not all(body.links,
100                .href_url.domain.root_domain in~ (
101                  "icloud.com",
102                  "aka.ms"
103                )
104        )
105      )
106    )
107    or sender.email.email != "noreply@icloud.com.cn"
108  )
109  
110  // negate bouncebacks and undeliverables
111  and not any(attachments,
112              .content_type in (
113                "message/global-delivery-status",
114                "message/delivery-status",
115              )
116              or (
117                .content_type == "message/rfc822"
118                and any(file.parse_eml(.).attachments,
119                        .content_type in (
120                          "message/global-delivery-status",
121                          "message/delivery-status",
122                        )
123                )
124              )
125  )
126  
127  // negate highly trusted sender domains unless they fail DMARC authentication
128  and (
129    (
130      sender.email.domain.root_domain in $high_trust_sender_root_domains
131      and not headers.auth_summary.dmarc.pass
132    )
133    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
134  )
135  and (
136    not profile.by_sender().solicited
137    or profile.by_sender().any_messages_malicious_or_spam
138  )  
139attack_types:
140  - "Credential Phishing"
141tactics_and_techniques:
142  - "Social engineering"
143detection_methods:
144  - "Content analysis"
145  - "Sender analysis"
146
147id: "750f04d6-f68a-564c-9e41-c1e5a58df28f"
to-top