Credential phishing: Fake storage alerts (unsolicited)
This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.
Sublime rule (View on GitHub)
1name: "Credential phishing: Fake storage alerts (unsolicited)"
2description: "This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 0 < length(body.links) < 8
10 and any([subject.subject, sender.display_name],
11 regex.icontains(., "(?:storage|mailbox)")
12 )
13 )
14 or (
15 //
16 // This rule makes use of a beta feature and is subject to change without notice
17 // using the beta feature in custom rules is not suggested until it has been formally released
18 //
19 any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
20 .name == "cred_theft" and .confidence == "high"
21 )
22 and regex.icontains(beta.ocr(file.message_screenshot()).text,
23 "storage.{0,50}full",
24 "free.{0,50}upgrade",
25 "storage.{0,50}details",
26 "storage.{0,50}quot",
27 "email.{0,50}storage",
28 "total.{0,50}storage",
29 "storage.{0,50}limit",
30 "cloud.{0,50}update payment",
31 )
32 and not strings.ilike(beta.ocr(file.message_screenshot()).text,
33 "*free plan*"
34 )
35 )
36 or (
37 any(body.links,
38 // fingerprints of a hyperlinked image
39 .display_text is null
40 and .display_url.url is null
41 and (
42 .href_url.domain.root_domain in $free_file_hosts
43 or .href_url.domain.root_domain == "beehiiv.com"
44 )
45 )
46 and length(attachments) == 1
47 and all(attachments,
48 .file_type in $file_types_images
49 and .size > 2000
50 and any(file.explode(.),
51 regex.icontains(.scan.ocr.raw,
52 "storage.{0,50}full",
53 "free.{0,50}upgrade",
54 "storage.{0,50}details",
55 "storage.{0,50}quot",
56 "email.{0,50}storage",
57 "total.{0,50}storage"
58 )
59 )
60 )
61 )
62 )
63 and (
64 strings.icontains(subject.subject, "exceeded")
65 or strings.icontains(subject.subject, "out of")
66 or strings.icontains(subject.subject, "mailbox")
67 or strings.icontains(subject.subject, "icloud")
68 or strings.icontains(subject.subject, "all storage used")
69 or strings.icontains(subject.subject, "compliance")
70 or strings.icontains(subject.subject, "critical")
71 or strings.icontains(subject.subject, "problem")
72 or strings.icontains(subject.subject, "max storage")
73 or strings.icontains(subject.subject, "be deleted")
74 or strings.icontains(subject.subject, "action required")
75 or strings.icontains(subject.subject, "undelivered messages")
76 or strings.icontains(subject.subject, "review storage")
77 or strings.icontains(subject.subject, "subscription terminated")
78 or strings.icontains(subject.subject, "final notice")
79 or strings.icontains(subject.subject, "data retention")
80 or strings.icontains(subject.subject, "file deletion")
81 or regex.icontains(subject.subject, '\bfull\b')
82 or regex.icontains(subject.subject, '\blimit(?:ed|\b)')
83 or regex.icontains(subject.subject, "storage (?:space|capacity warning)")
84 or regex.icontains(subject.subject, '(?:upgrade|\bact\b) (?:today|now)')
85 or regex.icontains(subject.subject,
86 'at (?:100|9[0-9](?:\.\d+)?|one[\s-]?hundred) ?(?:percent|%)'
87 )
88 )
89
90 // negate customer service requests about storage
91 and not any(ml.nlu_classifier(body.current_thread.text).topics,
92 .name == "Customer Service and Support" and .confidence == "high"
93 )
94
95 // negate links to loopnet.com - a popular commerical property listing service
96 and not (any(body.links, .href_url.domain.root_domain == "loopnet.com"))
97
98 // negate legitimate sharepoint storage alerts
99 and (
100 (
101 sender.email.email == "no-reply@sharepointonline.com"
102 and not headers.auth_summary.dmarc.pass
103 and (
104 not all(body.links,
105 .href_url.domain.root_domain in~ (
106 "sharepoint.com",
107 "microsoft.com",
108 "aka.ms"
109 )
110 )
111 )
112 )
113 or sender.email.email != "no-reply@sharepointonline.com"
114 )
115
116 // negate legitimate iCloud China storage alerts
117 and (
118 (
119 sender.email.email == "noreply@icloud.com.cn"
120 and not headers.auth_summary.dmarc.pass
121 and (
122 not all(body.links,
123 .href_url.domain.root_domain in~ ("icloud.com", "aka.ms")
124 )
125 )
126 )
127 or sender.email.email != "noreply@icloud.com.cn"
128 )
129
130 // negate bouncebacks and undeliverables
131 and not any(attachments,
132 .content_type in (
133 "message/global-delivery-status",
134 "message/delivery-status",
135 )
136 or (
137 .content_type == "message/rfc822"
138 and any(file.parse_eml(.).attachments,
139 .content_type in (
140 "message/global-delivery-status",
141 "message/delivery-status",
142 )
143 )
144 )
145 )
146
147 // negate highly trusted sender domains unless they fail DMARC authentication
148 and (
149 (
150 sender.email.domain.root_domain in $high_trust_sender_root_domains
151 and not headers.auth_summary.dmarc.pass
152 )
153 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
154 )
155 and (
156 not profile.by_sender().solicited
157 or profile.by_sender().any_messages_malicious_or_spam
158 )
159 // negate instances where proofpoint sends a review of a reported message via analyzer
160 and not (
161 sender.email.email == "analyzer@analyzer.securityeducation.com"
162 and any(headers.domains, .root_domain == "pphosted.com")
163 and headers.auth_summary.spf.pass
164 and headers.auth_summary.dmarc.pass
165 )
166attack_types:
167 - "Credential Phishing"
168tactics_and_techniques:
169 - "Social engineering"
170detection_methods:
171 - "Content analysis"
172 - "Sender analysis"
173
174id: "750f04d6-f68a-564c-9e41-c1e5a58df28f"