Credential phishing: Fake storage alerts (unsolicited)

This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.

Sublime rule (View on GitHub)

  1name: "Credential phishing: Fake storage alerts (unsolicited)"
  2description: "This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      0 < length(body.links) < 8
 10      and any([subject.subject, sender.display_name],
 11              regex.icontains(., "(?:storage|mailbox)")
 12      )
 13    )
 14    or (
 15      //
 16      // This rule makes use of a beta feature and is subject to change without notice
 17      // using the beta feature in custom rules is not suggested until it has been formally released
 18      //
 19      any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
 20          .name == "cred_theft" and .confidence == "high"
 21      )
 22      and regex.icontains(beta.ocr(file.message_screenshot()).text,
 23                          "storage.{0,50}full",
 24                          "free.{0,50}upgrade",
 25                          "storage.{0,50}details",
 26                          "storage.{0,50}quot",
 27                          "email.{0,50}storage",
 28                          "total.{0,50}storage",
 29                          "storage.{0,50}limit",
 30                          "cloud.{0,50}update payment",
 31      )
 32      and not strings.ilike(beta.ocr(file.message_screenshot()).text,
 33                            "*free plan*"
 34      )
 35    )
 36    or (
 37      any(body.links,
 38          // fingerprints of a hyperlinked image
 39          .display_text is null
 40          and .display_url.url is null
 41          and (
 42            .href_url.domain.root_domain in $free_file_hosts
 43            or .href_url.domain.root_domain == "beehiiv.com"
 44          )
 45      )
 46      and length(attachments) == 1
 47      and all(attachments,
 48              .file_type in $file_types_images
 49              and .size > 2000
 50              and any(file.explode(.),
 51                      regex.icontains(.scan.ocr.raw,
 52                                      "storage.{0,50}full",
 53                                      "free.{0,50}upgrade",
 54                                      "storage.{0,50}details",
 55                                      "storage.{0,50}quot",
 56                                      "email.{0,50}storage",
 57                                      "total.{0,50}storage"
 58                      )
 59              )
 60      )
 61    )
 62  )
 63  and (
 64    strings.icontains(subject.subject,
 65                      "exceeded",
 66                      "out of",
 67                      "mailbox",
 68                      "icloud",
 69                      "all storage used",
 70                      "compliance",
 71                      "critical",
 72                      "problem",
 73                      "max storage",
 74                      "be deleted",
 75                      "action required",
 76                      "undelivered messages",
 77                      "review storage",
 78                      "subscription terminated",
 79                      "final notice",
 80                      "data retention",
 81                      "file deletion",
 82                      "suspend"
 83    )
 84    or regex.icontains(subject.subject,
 85                       '\bfull\b',
 86                       '\blimit(?:ed|\b)',
 87                       "storage (?:space|capacity warning|is used)",
 88                       '(?:upgrade|\bact\b) (?:today|now)',
 89                       'at (?:100|9[0-9](?:\.\d+)?|one[\s-]?hundred) ?(?:percent|%)'
 90    )
 91  )
 92  
 93  // negate customer service requests about storage
 94  and not any(ml.nlu_classifier(body.current_thread.text).topics,
 95              .name == "Customer Service and Support" and .confidence == "high"
 96  )
 97  
 98  // negate links to loopnet.com - a popular commerical property listing service
 99  and not (any(body.links, .href_url.domain.root_domain == "loopnet.com"))
100  
101  // negate legitimate sharepoint storage alerts
102  and (
103    (
104      sender.email.email == "no-reply@sharepointonline.com"
105      and not headers.auth_summary.dmarc.pass
106      and (
107        not all(body.links,
108                .href_url.domain.root_domain in~ (
109                  "sharepoint.com",
110                  "microsoft.com",
111                  "aka.ms"
112                )
113        )
114      )
115    )
116    or sender.email.email != "no-reply@sharepointonline.com"
117  )
118  
119  // negate legitimate iCloud China storage alerts
120  and (
121    (
122      sender.email.email == "noreply@icloud.com.cn"
123      and not headers.auth_summary.dmarc.pass
124      and (
125        not all(body.links,
126                .href_url.domain.root_domain in~ ("icloud.com", "aka.ms")
127        )
128      )
129    )
130    or sender.email.email != "noreply@icloud.com.cn"
131  )
132  
133  // negate bouncebacks and undeliverables
134  and not any(attachments,
135              .content_type in (
136                "message/global-delivery-status",
137                "message/delivery-status",
138              )
139              or (
140                .content_type == "message/rfc822"
141                and any(file.parse_eml(.).attachments,
142                        .content_type in (
143                          "message/global-delivery-status",
144                          "message/delivery-status",
145                        )
146                )
147              )
148  )
149  
150  // negate highly trusted sender domains unless they fail DMARC authentication
151  and (
152    (
153      sender.email.domain.root_domain in $high_trust_sender_root_domains
154      and not headers.auth_summary.dmarc.pass
155    )
156    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
157  )
158  and (
159    not profile.by_sender().solicited
160    or profile.by_sender().any_messages_malicious_or_spam
161  )
162  // negate instances where proofpoint sends a review of a reported message via analyzer
163  and not (
164    sender.email.email == "analyzer@analyzer.securityeducation.com"
165    and any(headers.domains, .root_domain == "pphosted.com")
166    and headers.auth_summary.spf.pass
167    and headers.auth_summary.dmarc.pass
168  )  
169attack_types:
170  - "Credential Phishing"
171tactics_and_techniques:
172  - "Social engineering"
173detection_methods:
174  - "Content analysis"
175  - "Sender analysis"
176
177id: "750f04d6-f68a-564c-9e41-c1e5a58df28f"
to-top