Credential phishing: Fake storage alerts (unsolicited)
This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.
Sublime rule (View on GitHub)
1name: "Credential phishing: Fake storage alerts (unsolicited)"
2description: "This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 0 < length(body.links) < 8
10 and any([subject.subject, sender.display_name],
11 regex.icontains(., "storage|mailbox")
12 )
13 )
14 or (
15 //
16 // This rule makes use of a beta feature and is subject to change without notice
17 // using the beta feature in custom rules is not suggested until it has been formally released
18 //
19 any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
20 .name == "cred_theft" and .confidence == "high"
21 )
22 and regex.icontains(beta.ocr(file.message_screenshot()).text,
23 "storage.{0,50}full",
24 "free.{0,50}upgrade",
25 "storage.{0,50}details",
26 "storage.{0,50}quot",
27 "email.{0,50}storage",
28 "total.{0,50}storage",
29 "storage.{0,50}limit"
30 )
31 and not strings.ilike(beta.ocr(file.message_screenshot()).text, "*free plan*")
32
33 )
34 or (
35 any(body.links,
36 // fingerprints of a hyperlinked image
37 .display_text is null
38 and .display_url.url is null
39 and (
40 .href_url.domain.root_domain in $free_file_hosts
41 or .href_url.domain.root_domain == "beehiiv.com"
42 )
43 )
44 and length(attachments) == 1
45 and all(attachments,
46 .file_type in $file_types_images
47 and .size > 2000
48 and any(file.explode(.),
49 regex.icontains(.scan.ocr.raw,
50 "storage.{0,50}full",
51 "free.{0,50}upgrade",
52 "storage.{0,50}details",
53 "storage.{0,50}quot",
54 "email.{0,50}storage",
55 "total.{0,50}storage"
56 )
57 )
58 )
59 )
60 )
61 and (
62 regex.icontains(subject.subject, '\bfull\b')
63 or strings.icontains(subject.subject, "exceeded")
64 or strings.icontains(subject.subject, "out of")
65 or strings.icontains(subject.subject, "mailbox")
66 or strings.icontains(subject.subject, "icloud")
67 or regex.icontains(subject.subject, '\blimit(?:ed|\b)')
68 or strings.icontains(subject.subject, "all storage used")
69 or strings.icontains(subject.subject, "compliance")
70 or strings.icontains(subject.subject, "max storage")
71 or strings.icontains(subject.subject, "storage space")
72 or strings.icontains(subject.subject, "be deleted")
73 or strings.icontains(subject.subject, "action required")
74 or strings.icontains(subject.subject, "review storage")
75 or regex.icontains(subject.subject, "upgrade (today|now)")
76 )
77
78 // negate customer service requests about storage
79 and not any(ml.nlu_classifier(body.current_thread.text).topics,
80 .name == "Customer Service and Support" and .confidence == "high"
81 )
82
83 // negate links to loopnet.com - a popular commerical property listing service
84 and not (any(body.links, .href_url.domain.root_domain == "loopnet.com"))
85
86 // negate legitimate sharepoint storage alerts
87 and (
88 (
89 sender.email.email == "no-reply@sharepointonline.com"
90 and not headers.auth_summary.dmarc.pass
91 and (
92 not all(body.links,
93 .href_url.domain.root_domain in~ (
94 "sharepoint.com",
95 "microsoft.com",
96 "aka.ms"
97 )
98 )
99 )
100 )
101 or sender.email.email != "no-reply@sharepointonline.com"
102 )
103
104 // negate legitimate iCloud China storage alerts
105 and (
106 (
107 sender.email.email == "noreply@icloud.com.cn"
108 and not headers.auth_summary.dmarc.pass
109 and (
110 not all(body.links,
111 .href_url.domain.root_domain in~ ("icloud.com", "aka.ms")
112 )
113 )
114 )
115 or sender.email.email != "noreply@icloud.com.cn"
116 )
117
118 // negate bouncebacks and undeliverables
119 and not any(attachments,
120 .content_type in (
121 "message/global-delivery-status",
122 "message/delivery-status",
123 )
124 or (
125 .content_type == "message/rfc822"
126 and any(file.parse_eml(.).attachments,
127 .content_type in (
128 "message/global-delivery-status",
129 "message/delivery-status",
130 )
131 )
132 )
133 )
134
135 // negate highly trusted sender domains unless they fail DMARC authentication
136 and (
137 (
138 sender.email.domain.root_domain in $high_trust_sender_root_domains
139 and not headers.auth_summary.dmarc.pass
140 )
141 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
142 )
143 and (
144 not profile.by_sender().solicited
145 or profile.by_sender().any_messages_malicious_or_spam
146 )
147 // negate instances where proofpoint sends a review of a reported message via analyzer
148 and not (
149 sender.email.email == "analyzer@analyzer.securityeducation.com"
150 and any(headers.domains, .root_domain == "pphosted.com")
151 and headers.auth_summary.spf.pass
152 and headers.auth_summary.dmarc.pass
153 )
154attack_types:
155 - "Credential Phishing"
156tactics_and_techniques:
157 - "Social engineering"
158detection_methods:
159 - "Content analysis"
160 - "Sender analysis"
161
162id: "750f04d6-f68a-564c-9e41-c1e5a58df28f"