Credential Phishing: Fake Storage alerts (unsolicited)
This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.
Sublime rule (View on GitHub)
1name: "Credential Phishing: Fake Storage alerts (unsolicited)"
2description: "This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 0 < length(body.links) < 8
10 and any([subject.subject, sender.display_name],
11 regex.icontains(., "storage|mailbox")
12 )
13 )
14 or (
15 any(file.explode(beta.message_screenshot()),
16 any(ml.nlu_classifier(.scan.ocr.raw).intents,
17 .name == "cred_theft" and .confidence == "high"
18 )
19 and regex.icontains(.scan.ocr.raw,
20 "storage.{0,50}full",
21 "free.{0,50}upgrade",
22 "storage.{0,50}details",
23 "storage.{0,50}quot",
24 "email.{0,50}storage",
25 "total.{0,50}storage"
26 )
27 and not strings.ilike(.scan.ocr.raw, "*free plan*")
28 )
29 )
30 or (
31 any(body.links,
32 // fingerprints of a hyperlinked image
33 .display_text is null
34 and .display_url.url is null
35 and (
36 .href_url.domain.root_domain in $free_file_hosts
37 or .href_url.domain.root_domain == "beehiiv.com"
38 )
39 and length(attachments) ==1
40 and all(attachments,
41 .file_type in $file_types_images
42 and .size > 2000
43 and any(file.explode(.),
44 regex.icontains(.scan.ocr.raw,
45 "storage.{0,50}full",
46 "free.{0,50}upgrade",
47 "storage.{0,50}details",
48 "storage.{0,50}quot",
49 "email.{0,50}storage",
50 "total.{0,50}storage"
51 )
52 )
53 )
54 )
55 )
56 )
57 and (
58 regex.icontains(subject.subject, '\bfull\b')
59 or strings.icontains(subject.subject, "exceeded")
60 or strings.icontains(subject.subject, "out of")
61 or strings.icontains(subject.subject, "icloud")
62 or strings.icontains(subject.subject, "limit")
63 or strings.icontains(subject.subject, "all storage used")
64 or strings.icontains(subject.subject, "compliance")
65 or strings.icontains(subject.subject, "max storage")
66 or strings.icontains(subject.subject, "storage space")
67 )
68
69 // negate legitimate sharepoint storage alerts
70 and (
71 (
72 sender.email.email == "no-reply@sharepointonline.com"
73 and not headers.auth_summary.dmarc.pass
74 and (
75 not all(body.links,
76 .href_url.domain.root_domain in~ (
77 "sharepoint.com",
78 "microsoft.com",
79 "aka.ms"
80 )
81 )
82 )
83 )
84 or sender.email.email != "no-reply@sharepointonline.com"
85 )
86 // negate highly trusted sender domains unless they fail DMARC authentication
87 and (
88 (
89 sender.email.domain.root_domain in $high_trust_sender_root_domains
90 and not headers.auth_summary.dmarc.pass
91 )
92 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
93 )
94 and (
95 not profile.by_sender().solicited
96 or profile.by_sender().any_messages_malicious_or_spam
97 )
98attack_types:
99 - "Credential Phishing"
100tactics_and_techniques:
101 - "Social engineering"
102detection_methods:
103 - "Content analysis"
104 - "Sender analysis"
105
106id: "750f04d6-f68a-564c-9e41-c1e5a58df28f"