Credential Phishing: Fake Storage alerts (unsolicited)

This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.

Sublime rule (View on GitHub)

  1name: "Credential Phishing: Fake Storage alerts (unsolicited)"
  2description: "This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      0 < length(body.links) < 8
 10      and any([subject.subject, sender.display_name],
 11              regex.icontains(., "storage|mailbox")
 12      )
 13    )
 14    or (
 15      any(file.explode(beta.message_screenshot()),
 16          any(ml.nlu_classifier(.scan.ocr.raw).intents,
 17               .name == "cred_theft" and .confidence == "high"
 18          )
 19          and regex.icontains(.scan.ocr.raw,
 20                            "storage.{0,50}full",
 21                            "free.{0,50}upgrade",
 22                            "storage.{0,50}details",
 23                            "storage.{0,50}quot",
 24                            "email.{0,50}storage",
 25                            "total.{0,50}storage"
 26          )
 27          and not strings.ilike(.scan.ocr.raw, "*free plan*")
 28      )
 29    )
 30    or (
 31      any(body.links,
 32          // fingerprints of a hyperlinked image
 33          .display_text is null
 34          and .display_url.url is null
 35          and (
 36            .href_url.domain.root_domain in $free_file_hosts
 37            or .href_url.domain.root_domain == "beehiiv.com"
 38          )
 39          and length(attachments) ==1
 40          and all(attachments,
 41                  .file_type in $file_types_images
 42                  and .size > 2000
 43                  and any(file.explode(.),
 44                          regex.icontains(.scan.ocr.raw,
 45                            "storage.{0,50}full",
 46                            "free.{0,50}upgrade",
 47                            "storage.{0,50}details",
 48                            "storage.{0,50}quot",
 49                            "email.{0,50}storage",
 50                            "total.{0,50}storage"
 51          )
 52                  )
 53          )
 54      )
 55    )
 56  )
 57  and (
 58    regex.icontains(subject.subject, '\bfull\b')
 59    or strings.icontains(subject.subject, "exceeded")
 60    or strings.icontains(subject.subject, "out of")
 61    or strings.icontains(subject.subject, "icloud")
 62    or strings.icontains(subject.subject, "limit")
 63    or strings.icontains(subject.subject, "all storage used")
 64    or strings.icontains(subject.subject, "compliance")
 65    or strings.icontains(subject.subject, "max storage")
 66    or strings.icontains(subject.subject, "storage space")
 67    or strings.icontains(subject.subject, "be deleted")
 68  )
 69  // netgate links to loopnet.com - a popular commerical property listing service
 70  and not (
 71      any(body.links, .href_url.domain.root_domain == "loopnet.com")
 72  )
 73  
 74  // negate legitimate sharepoint storage alerts
 75  and (
 76    (
 77      sender.email.email == "no-reply@sharepointonline.com"
 78      and not headers.auth_summary.dmarc.pass
 79      and (
 80        not all(body.links,
 81                .href_url.domain.root_domain in~ (
 82                  "sharepoint.com",
 83                  "microsoft.com",
 84                  "aka.ms"
 85                )
 86        )
 87      )
 88    )
 89    or sender.email.email != "no-reply@sharepointonline.com"
 90  )
 91
 92  // negate legitimate iCloud China storage alerts
 93  and (
 94    (
 95      sender.email.email == "noreply@icloud.com.cn"
 96      and not headers.auth_summary.dmarc.pass
 97      and (
 98        not all(body.links,
 99                .href_url.domain.root_domain in~ (
100                  "icloud.com",
101                  "aka.ms"
102                )
103        )
104      )
105    )
106    or sender.email.email != "noreply@icloud.com.cn"
107  )
108
109  // negate bouncebacks and undeliverables
110  and not any(attachments,
111              .content_type in (
112                "message/global-delivery-status",
113                "message/delivery-status"
114              )
115  )
116
117  // negate highly trusted sender domains unless they fail DMARC authentication
118  and (
119    (
120      sender.email.domain.root_domain in $high_trust_sender_root_domains
121      and not headers.auth_summary.dmarc.pass
122    )
123    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
124  )
125  and (
126    not profile.by_sender().solicited
127    or profile.by_sender().any_messages_malicious_or_spam
128  )  
129attack_types:
130  - "Credential Phishing"
131tactics_and_techniques:
132  - "Social engineering"
133detection_methods:
134  - "Content analysis"
135  - "Sender analysis"
136
137id: "750f04d6-f68a-564c-9e41-c1e5a58df28f"
to-top