Credential Phishing: Fake Storage alerts (unsolicited)

calendar Apr 11, 2025  ·
Share on: linkedin copy

This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.

Sublime rule (View on GitHub)

  1name: "Credential Phishing: Fake Storage alerts (unsolicited)"
  2description: "This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      0 < length(body.links) < 8
 10      and any([subject.subject, sender.display_name],
 11              regex.icontains(., "storage|mailbox")
 12      )
 13    )
 14    or (
 15      any(file.explode(beta.message_screenshot()),
 16          any(ml.nlu_classifier(.scan.ocr.raw).intents,
 17               .name == "cred_theft" and .confidence == "high"
 18          )
 19          and regex.icontains(.scan.ocr.raw,
 20                            "storage.{0,50}full",
 21                            "free.{0,50}upgrade",
 22                            "storage.{0,50}details",
 23                            "storage.{0,50}quot",
 24                            "email.{0,50}storage",
 25                            "total.{0,50}storage"
 26          )
 27          and not strings.ilike(.scan.ocr.raw, "*free plan*")
 28      )
 29    )
 30    or (
 31      any(body.links,
 32          // fingerprints of a hyperlinked image
 33          .display_text is null
 34          and .display_url.url is null
 35          and (
 36            .href_url.domain.root_domain in $free_file_hosts
 37            or .href_url.domain.root_domain == "beehiiv.com"
 38          )
 39          and length(attachments) ==1
 40          and all(attachments,
 41                  .file_type in $file_types_images
 42                  and .size > 2000
 43                  and any(file.explode(.),
 44                          regex.icontains(.scan.ocr.raw,
 45                            "storage.{0,50}full",
 46                            "free.{0,50}upgrade",
 47                            "storage.{0,50}details",
 48                            "storage.{0,50}quot",
 49                            "email.{0,50}storage",
 50                            "total.{0,50}storage"
 51          )
 52                  )
 53          )
 54      )
 55    )
 56  )
 57  and (
 58    regex.icontains(subject.subject, '\bfull\b')
 59    or strings.icontains(subject.subject, "exceeded")
 60    or strings.icontains(subject.subject, "out of")
 61    or strings.icontains(subject.subject, "icloud")
 62    or regex.icontains(subject.subject, '\blimit(?:ed|\b)')
 63    or strings.icontains(subject.subject, "all storage used")
 64    or strings.icontains(subject.subject, "compliance")
 65    or strings.icontains(subject.subject, "max storage")
 66    or strings.icontains(subject.subject, "storage space")
 67    or strings.icontains(subject.subject, "be deleted")
 68  )
 69  // netgate links to loopnet.com - a popular commerical property listing service
 70  and not (
 71      any(body.links, .href_url.domain.root_domain == "loopnet.com")
 72  )
 73  
 74  // negate legitimate sharepoint storage alerts
 75  and (
 76    (
 77      sender.email.email == "no-reply@sharepointonline.com"
 78      and not headers.auth_summary.dmarc.pass
 79      and (
 80        not all(body.links,
 81                .href_url.domain.root_domain in~ (
 82                  "sharepoint.com",
 83                  "microsoft.com",
 84                  "aka.ms"
 85                )
 86        )
 87      )
 88    )
 89    or sender.email.email != "no-reply@sharepointonline.com"
 90  )
 91
 92  // negate legitimate iCloud China storage alerts
 93  and (
 94    (
 95      sender.email.email == "noreply@icloud.com.cn"
 96      and not headers.auth_summary.dmarc.pass
 97      and (
 98        not all(body.links,
 99                .href_url.domain.root_domain in~ (
100                  "icloud.com",
101                  "aka.ms"
102                )
103        )
104      )
105    )
106    or sender.email.email != "noreply@icloud.com.cn"
107  )
108
109  // negate bouncebacks and undeliverables
110  and not any(attachments,
111              .content_type in (
112                "message/global-delivery-status",
113                "message/delivery-status",
114              )
115              or (
116                .content_type == "message/rfc822"
117                and any(file.parse_eml(.).attachments,
118                        .content_type in (
119                          "message/global-delivery-status",
120                          "message/delivery-status",
121                        )
122                )
123              )
124  )
125
126  // negate highly trusted sender domains unless they fail DMARC authentication
127  and (
128    (
129      sender.email.domain.root_domain in $high_trust_sender_root_domains
130      and not headers.auth_summary.dmarc.pass
131    )
132    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
133  )
134  and (
135    not profile.by_sender().solicited
136    or profile.by_sender().any_messages_malicious_or_spam
137  )  
138attack_types:
139  - "Credential Phishing"
140tactics_and_techniques:
141  - "Social engineering"
142detection_methods:
143  - "Content analysis"
144  - "Sender analysis"
145
146id: "750f04d6-f68a-564c-9e41-c1e5a58df28f"
to-top