Credential phishing: Fake storage alerts (unsolicited)
This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.
Sublime rule (View on GitHub)
1name: "Credential phishing: Fake storage alerts (unsolicited)"
2description: "This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 0 < length(body.links) < 8
10 and any([subject.subject, sender.display_name],
11 regex.icontains(., "storage|mailbox")
12 )
13 )
14 or (
15 //
16 // This rule makes use of a beta feature and is subject to change without notice
17 // using the beta feature in custom rules is not suggested until it has been formally released
18 //
19 any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
20 .name == "cred_theft" and .confidence == "high"
21 )
22 and regex.icontains(beta.ocr(file.message_screenshot()).text,
23 "storage.{0,50}full",
24 "free.{0,50}upgrade",
25 "storage.{0,50}details",
26 "storage.{0,50}quot",
27 "email.{0,50}storage",
28 "total.{0,50}storage"
29 )
30 and not strings.ilike(beta.ocr(file.message_screenshot()).text, "*free plan*")
31
32 )
33 or (
34 any(body.links,
35 // fingerprints of a hyperlinked image
36 .display_text is null
37 and .display_url.url is null
38 and (
39 .href_url.domain.root_domain in $free_file_hosts
40 or .href_url.domain.root_domain == "beehiiv.com"
41 )
42 )
43 and length(attachments) == 1
44 and all(attachments,
45 .file_type in $file_types_images
46 and .size > 2000
47 and any(file.explode(.),
48 regex.icontains(.scan.ocr.raw,
49 "storage.{0,50}full",
50 "free.{0,50}upgrade",
51 "storage.{0,50}details",
52 "storage.{0,50}quot",
53 "email.{0,50}storage",
54 "total.{0,50}storage"
55 )
56 )
57 )
58 )
59 )
60 and (
61 regex.icontains(subject.subject, '\bfull\b')
62 or strings.icontains(subject.subject, "exceeded")
63 or strings.icontains(subject.subject, "out of")
64 or strings.icontains(subject.subject, "icloud")
65 or regex.icontains(subject.subject, '\blimit(?:ed|\b)')
66 or strings.icontains(subject.subject, "all storage used")
67 or strings.icontains(subject.subject, "compliance")
68 or strings.icontains(subject.subject, "max storage")
69 or strings.icontains(subject.subject, "storage space")
70 or strings.icontains(subject.subject, "be deleted")
71 or strings.icontains(subject.subject, "action required")
72 or strings.icontains(subject.subject, "review storage")
73 )
74
75 // negate customer service requests about storage
76 and not any(ml.nlu_classifier(body.current_thread.text).topics,
77 .name == "Customer Service and Support" and .confidence == "high"
78 )
79
80 // negate links to loopnet.com - a popular commerical property listing service
81 and not (any(body.links, .href_url.domain.root_domain == "loopnet.com"))
82
83 // negate legitimate sharepoint storage alerts
84 and (
85 (
86 sender.email.email == "no-reply@sharepointonline.com"
87 and not headers.auth_summary.dmarc.pass
88 and (
89 not all(body.links,
90 .href_url.domain.root_domain in~ (
91 "sharepoint.com",
92 "microsoft.com",
93 "aka.ms"
94 )
95 )
96 )
97 )
98 or sender.email.email != "no-reply@sharepointonline.com"
99 )
100
101 // negate legitimate iCloud China storage alerts
102 and (
103 (
104 sender.email.email == "noreply@icloud.com.cn"
105 and not headers.auth_summary.dmarc.pass
106 and (
107 not all(body.links,
108 .href_url.domain.root_domain in~ ("icloud.com", "aka.ms")
109 )
110 )
111 )
112 or sender.email.email != "noreply@icloud.com.cn"
113 )
114
115 // negate bouncebacks and undeliverables
116 and not any(attachments,
117 .content_type in (
118 "message/global-delivery-status",
119 "message/delivery-status",
120 )
121 or (
122 .content_type == "message/rfc822"
123 and any(file.parse_eml(.).attachments,
124 .content_type in (
125 "message/global-delivery-status",
126 "message/delivery-status",
127 )
128 )
129 )
130 )
131
132 // negate highly trusted sender domains unless they fail DMARC authentication
133 and (
134 (
135 sender.email.domain.root_domain in $high_trust_sender_root_domains
136 and not headers.auth_summary.dmarc.pass
137 )
138 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
139 )
140 and (
141 not profile.by_sender().solicited
142 or profile.by_sender().any_messages_malicious_or_spam
143 )
144 // negate instances where proofpoint sends a review of a reported message via analyzer
145 and not (
146 sender.email.email == "analyzer@analyzer.securityeducation.com"
147 and any(headers.domains, .root_domain == "pphosted.com")
148 and headers.auth_summary.spf.pass
149 and headers.auth_summary.dmarc.pass
150 )
151attack_types:
152 - "Credential Phishing"
153tactics_and_techniques:
154 - "Social engineering"
155detection_methods:
156 - "Content analysis"
157 - "Sender analysis"
158
159id: "750f04d6-f68a-564c-9e41-c1e5a58df28f"