Credential phishing: Fake storage alerts (unsolicited)
This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.
Sublime rule (View on GitHub)
1name: "Credential phishing: Fake storage alerts (unsolicited)"
2description: "This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 0 < length(body.links) < 8
10 and any([subject.subject, sender.display_name],
11 regex.icontains(., "(?:storage|mailbox)")
12 )
13 )
14 or (
15 //
16 // This rule makes use of a beta feature and is subject to change without notice
17 // using the beta feature in custom rules is not suggested until it has been formally released
18 //
19 any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
20 .name == "cred_theft" and .confidence == "high"
21 )
22 and regex.icontains(beta.ocr(file.message_screenshot()).text,
23 "storage.{0,50}full",
24 "free.{0,50}upgrade",
25 "storage.{0,50}details",
26 "storage.{0,50}quot",
27 "email.{0,50}storage",
28 "total.{0,50}storage",
29 "storage.{0,50}limit",
30 "cloud.{0,50}update payment",
31 )
32 and not strings.ilike(beta.ocr(file.message_screenshot()).text,
33 "*free plan*"
34 )
35 )
36 or (
37 any(body.links,
38 // fingerprints of a hyperlinked image
39 .display_text is null
40 and .display_url.url is null
41 and (
42 .href_url.domain.root_domain in $free_file_hosts
43 or .href_url.domain.root_domain == "beehiiv.com"
44 )
45 )
46 and length(attachments) == 1
47 and all(attachments,
48 .file_type in $file_types_images
49 and .size > 2000
50 and any(file.explode(.),
51 regex.icontains(.scan.ocr.raw,
52 "storage.{0,50}full",
53 "free.{0,50}upgrade",
54 "storage.{0,50}details",
55 "storage.{0,50}quot",
56 "email.{0,50}storage",
57 "total.{0,50}storage"
58 )
59 )
60 )
61 )
62 )
63 and (
64 regex.icontains(subject.subject, '\bfull\b')
65 or strings.icontains(subject.subject, "exceeded")
66 or strings.icontains(subject.subject, "out of")
67 or strings.icontains(subject.subject, "mailbox")
68 or strings.icontains(subject.subject, "icloud")
69 or regex.icontains(subject.subject, '\blimit(?:ed|\b)')
70 or strings.icontains(subject.subject, "all storage used")
71 or strings.icontains(subject.subject, "compliance")
72 or strings.icontains(subject.subject, "max storage")
73 or regex.icontains(subject.subject, "storage (?:space|capacity warning)")
74 or strings.icontains(subject.subject, "be deleted")
75 or strings.icontains(subject.subject, "action required")
76 or strings.icontains(subject.subject, "undelivered messages")
77 or strings.icontains(subject.subject, "review storage")
78 or regex.icontains(subject.subject, '(?:upgrade|\bact\b) (?:today|now)')
79 or strings.icontains(subject.subject, "subscription terminated")
80 or regex.icontains(subject.subject,
81 'at (?:100|9[0-9](?:\.\d+)?|one[\s-]?hundred) ?(?:percent|%)'
82 )
83 )
84
85 // negate customer service requests about storage
86 and not any(ml.nlu_classifier(body.current_thread.text).topics,
87 .name == "Customer Service and Support" and .confidence == "high"
88 )
89
90 // negate links to loopnet.com - a popular commerical property listing service
91 and not (any(body.links, .href_url.domain.root_domain == "loopnet.com"))
92
93 // negate legitimate sharepoint storage alerts
94 and (
95 (
96 sender.email.email == "no-reply@sharepointonline.com"
97 and not headers.auth_summary.dmarc.pass
98 and (
99 not all(body.links,
100 .href_url.domain.root_domain in~ (
101 "sharepoint.com",
102 "microsoft.com",
103 "aka.ms"
104 )
105 )
106 )
107 )
108 or sender.email.email != "no-reply@sharepointonline.com"
109 )
110
111 // negate legitimate iCloud China storage alerts
112 and (
113 (
114 sender.email.email == "noreply@icloud.com.cn"
115 and not headers.auth_summary.dmarc.pass
116 and (
117 not all(body.links,
118 .href_url.domain.root_domain in~ ("icloud.com", "aka.ms")
119 )
120 )
121 )
122 or sender.email.email != "noreply@icloud.com.cn"
123 )
124
125 // negate bouncebacks and undeliverables
126 and not any(attachments,
127 .content_type in (
128 "message/global-delivery-status",
129 "message/delivery-status",
130 )
131 or (
132 .content_type == "message/rfc822"
133 and any(file.parse_eml(.).attachments,
134 .content_type in (
135 "message/global-delivery-status",
136 "message/delivery-status",
137 )
138 )
139 )
140 )
141
142 // negate highly trusted sender domains unless they fail DMARC authentication
143 and (
144 (
145 sender.email.domain.root_domain in $high_trust_sender_root_domains
146 and not headers.auth_summary.dmarc.pass
147 )
148 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
149 )
150 and (
151 not profile.by_sender().solicited
152 or profile.by_sender().any_messages_malicious_or_spam
153 )
154 // negate instances where proofpoint sends a review of a reported message via analyzer
155 and not (
156 sender.email.email == "analyzer@analyzer.securityeducation.com"
157 and any(headers.domains, .root_domain == "pphosted.com")
158 and headers.auth_summary.spf.pass
159 and headers.auth_summary.dmarc.pass
160 )
161attack_types:
162 - "Credential Phishing"
163tactics_and_techniques:
164 - "Social engineering"
165detection_methods:
166 - "Content analysis"
167 - "Sender analysis"
168
169id: "750f04d6-f68a-564c-9e41-c1e5a58df28f"