Credential Phishing: Fake Storage alerts (unsolicited)
This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.
Sublime rule (View on GitHub)
1name: "Credential Phishing: Fake Storage alerts (unsolicited)"
2description: "This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 0 < length(body.links) < 8
10 and any([subject.subject, sender.display_name],
11 regex.icontains(., "storage|mailbox")
12 )
13 )
14 or (
15 any(file.explode(beta.message_screenshot()),
16 any(ml.nlu_classifier(.scan.ocr.raw).intents,
17 .name == "cred_theft" and .confidence == "high"
18 )
19 and regex.icontains(.scan.ocr.raw,
20 "storage.{0,50}full",
21 "free.{0,50}upgrade",
22 "storage.{0,50}details",
23 "storage.{0,50}quot",
24 "email.{0,50}storage",
25 "total.{0,50}storage"
26 )
27 and not strings.ilike(.scan.ocr.raw, "*free plan*")
28 )
29 )
30 or (
31 any(body.links,
32 // fingerprints of a hyperlinked image
33 .display_text is null
34 and .display_url.url is null
35 and (
36 .href_url.domain.root_domain in $free_file_hosts
37 or .href_url.domain.root_domain == "beehiiv.com"
38 )
39 and length(attachments) ==1
40 and all(attachments,
41 .file_type in $file_types_images
42 and .size > 2000
43 and any(file.explode(.),
44 regex.icontains(.scan.ocr.raw,
45 "storage.{0,50}full",
46 "free.{0,50}upgrade",
47 "storage.{0,50}details",
48 "storage.{0,50}quot",
49 "email.{0,50}storage",
50 "total.{0,50}storage"
51 )
52 )
53 )
54 )
55 )
56 )
57 and (
58 regex.icontains(subject.subject, '\bfull\b')
59 or strings.icontains(subject.subject, "exceeded")
60 or strings.icontains(subject.subject, "out of")
61 or strings.icontains(subject.subject, "icloud")
62 or strings.icontains(subject.subject, "limit")
63 or strings.icontains(subject.subject, "all storage used")
64 or strings.icontains(subject.subject, "compliance")
65 or strings.icontains(subject.subject, "max storage")
66 or strings.icontains(subject.subject, "storage space")
67 )
68 // netgate links to loopnet.com - a popular commerical property listing service
69 and not (
70 any(body.links, .href_url.domain.root_domain == "loopnet.com")
71 )
72
73 // negate legitimate sharepoint storage alerts
74 and (
75 (
76 sender.email.email == "no-reply@sharepointonline.com"
77 and not headers.auth_summary.dmarc.pass
78 and (
79 not all(body.links,
80 .href_url.domain.root_domain in~ (
81 "sharepoint.com",
82 "microsoft.com",
83 "aka.ms"
84 )
85 )
86 )
87 )
88 or sender.email.email != "no-reply@sharepointonline.com"
89 )
90
91 // negate legitimate iCloud China storage alerts
92 and (
93 (
94 sender.email.email == "noreply@icloud.com.cn"
95 and not headers.auth_summary.dmarc.pass
96 and (
97 not all(body.links,
98 .href_url.domain.root_domain in~ (
99 "icloud.com",
100 "aka.ms"
101 )
102 )
103 )
104 )
105 or sender.email.email != "noreply@icloud.com.cn"
106 )
107
108 // negate highly trusted sender domains unless they fail DMARC authentication
109 and (
110 (
111 sender.email.domain.root_domain in $high_trust_sender_root_domains
112 and not headers.auth_summary.dmarc.pass
113 )
114 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
115 )
116 and (
117 not profile.by_sender().solicited
118 or profile.by_sender().any_messages_malicious_or_spam
119 )
120attack_types:
121 - "Credential Phishing"
122tactics_and_techniques:
123 - "Social engineering"
124detection_methods:
125 - "Content analysis"
126 - "Sender analysis"
127
128id: "750f04d6-f68a-564c-9e41-c1e5a58df28f"