Credential phishing: Fake storage alerts (unsolicited)
This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.
Sublime rule (View on GitHub)
1name: "Credential phishing: Fake storage alerts (unsolicited)"
2description: "This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 0 < length(body.links) < 8
10 and any([subject.subject, sender.display_name],
11 regex.icontains(., "(?:storage|mailbox)")
12 )
13 )
14 or (
15 //
16 // This rule makes use of a beta feature and is subject to change without notice
17 // using the beta feature in custom rules is not suggested until it has been formally released
18 //
19 any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
20 .name == "cred_theft" and .confidence == "high"
21 )
22 and regex.icontains(beta.ocr(file.message_screenshot()).text,
23 "storage.{0,50}full",
24 "free.{0,50}upgrade",
25 "storage.{0,50}details",
26 "storage.{0,50}quot",
27 "email.{0,50}storage",
28 "total.{0,50}storage",
29 "storage.{0,50}limit",
30 "cloud.{0,50}update payment",
31 )
32 and not strings.ilike(beta.ocr(file.message_screenshot()).text,
33 "*free plan*"
34 )
35 )
36 or (
37 any(body.links,
38 // fingerprints of a hyperlinked image
39 .display_text is null
40 and .display_url.url is null
41 and (
42 .href_url.domain.root_domain in $free_file_hosts
43 or .href_url.domain.root_domain == "beehiiv.com"
44 )
45 )
46 and length(attachments) == 1
47 and all(attachments,
48 .file_type in $file_types_images
49 and .size > 2000
50 and any(file.explode(.),
51 regex.icontains(.scan.ocr.raw,
52 "storage.{0,50}full",
53 "free.{0,50}upgrade",
54 "storage.{0,50}details",
55 "storage.{0,50}quot",
56 "email.{0,50}storage",
57 "total.{0,50}storage"
58 )
59 )
60 )
61 )
62 )
63 and (
64 regex.icontains(subject.subject, '\bfull\b')
65 or strings.icontains(subject.subject, "exceeded")
66 or strings.icontains(subject.subject, "out of")
67 or strings.icontains(subject.subject, "mailbox")
68 or strings.icontains(subject.subject, "icloud")
69 or regex.icontains(subject.subject, '\blimit(?:ed|\b)')
70 or strings.icontains(subject.subject, "all storage used")
71 or strings.icontains(subject.subject, "compliance")
72 or strings.icontains(subject.subject, "max storage")
73 or strings.icontains(subject.subject, "storage space")
74 or strings.icontains(subject.subject, "be deleted")
75 or strings.icontains(subject.subject, "action required")
76 or strings.icontains(subject.subject, "undelivered messages")
77 or strings.icontains(subject.subject, "review storage")
78 or regex.icontains(subject.subject, "upgrade (today|now)")
79 or strings.icontains(subject.subject, "subscription terminated")
80 )
81
82 // negate customer service requests about storage
83 and not any(ml.nlu_classifier(body.current_thread.text).topics,
84 .name == "Customer Service and Support" and .confidence == "high"
85 )
86
87 // negate links to loopnet.com - a popular commerical property listing service
88 and not (any(body.links, .href_url.domain.root_domain == "loopnet.com"))
89
90 // negate legitimate sharepoint storage alerts
91 and (
92 (
93 sender.email.email == "no-reply@sharepointonline.com"
94 and not headers.auth_summary.dmarc.pass
95 and (
96 not all(body.links,
97 .href_url.domain.root_domain in~ (
98 "sharepoint.com",
99 "microsoft.com",
100 "aka.ms"
101 )
102 )
103 )
104 )
105 or sender.email.email != "no-reply@sharepointonline.com"
106 )
107
108 // negate legitimate iCloud China storage alerts
109 and (
110 (
111 sender.email.email == "noreply@icloud.com.cn"
112 and not headers.auth_summary.dmarc.pass
113 and (
114 not all(body.links,
115 .href_url.domain.root_domain in~ ("icloud.com", "aka.ms")
116 )
117 )
118 )
119 or sender.email.email != "noreply@icloud.com.cn"
120 )
121
122 // negate bouncebacks and undeliverables
123 and not any(attachments,
124 .content_type in (
125 "message/global-delivery-status",
126 "message/delivery-status",
127 )
128 or (
129 .content_type == "message/rfc822"
130 and any(file.parse_eml(.).attachments,
131 .content_type in (
132 "message/global-delivery-status",
133 "message/delivery-status",
134 )
135 )
136 )
137 )
138
139 // negate highly trusted sender domains unless they fail DMARC authentication
140 and (
141 (
142 sender.email.domain.root_domain in $high_trust_sender_root_domains
143 and not headers.auth_summary.dmarc.pass
144 )
145 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
146 )
147 and (
148 not profile.by_sender().solicited
149 or profile.by_sender().any_messages_malicious_or_spam
150 )
151 // negate instances where proofpoint sends a review of a reported message via analyzer
152 and not (
153 sender.email.email == "analyzer@analyzer.securityeducation.com"
154 and any(headers.domains, .root_domain == "pphosted.com")
155 and headers.auth_summary.spf.pass
156 and headers.auth_summary.dmarc.pass
157 )
158attack_types:
159 - "Credential Phishing"
160tactics_and_techniques:
161 - "Social engineering"
162detection_methods:
163 - "Content analysis"
164 - "Sender analysis"
165
166id: "750f04d6-f68a-564c-9e41-c1e5a58df28f"