Credential Phishing: Fake Storage alerts (unsolicited)

calendar Apr 23, 2024  ·
Share on: linkedin copy

This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.

Sublime rule (View on GitHub)

 1name: "Credential Phishing: Fake Storage alerts (unsolicited)"
 2description: "This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    (
 9      0 < length(body.links) < 8
10      and any([subject.subject, sender.display_name],
11              strings.icontains(., "storage")
12      )
13    )
14    or (
15      any(file.explode(beta.message_screenshot()),
16          any(ml.nlu_classifier(.scan.ocr.raw).intents,
17              .name == "cred_theft" and .confidence == "high"
18          )
19          and strings.ilike(.scan.ocr.raw, "*storage*full*", "*free*upgrade*")
20      )
21    )
22  )
23  and (
24    regex.icontains(subject.subject, '\bfull\b')
25    or strings.icontains(subject.subject, "exceeded")
26    or strings.icontains(subject.subject, "out of")
27    or strings.icontains(subject.subject, "icloud")
28    or strings.icontains(subject.subject, "limit")
29    or strings.icontains(subject.subject, "all storage used")
30  )
31  
32  // negate legitimate sharepoint storage alerts
33  and (
34    (
35      sender.email.email == "no-reply@sharepointonline.com"
36      and not headers.auth_summary.dmarc.pass
37      and (
38        not all(body.links,
39                .href_url.domain.root_domain in~ (
40                  "sharepoint.com",
41                  "microsoft.com",
42                  "aka.ms"
43                )
44        )
45      )
46    )
47    or sender.email.email != "no-reply@sharepointonline.com"
48  )
49  // negate highly trusted sender domains unless they fail DMARC authentication
50  and (
51    (
52      sender.email.domain.root_domain in $high_trust_sender_root_domains
53      and not headers.auth_summary.dmarc.pass
54    )
55    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
56  )
57  and (
58    not profile.by_sender().solicited
59    or profile.by_sender().any_messages_malicious_or_spam
60  )  
61
62attack_types:
63  - "Credential Phishing"
64tactics_and_techniques:
65  - "Social engineering"
66detection_methods:
67  - "Content analysis"
68  - "Sender analysis"
69
70id: "750f04d6-f68a-564c-9e41-c1e5a58df28f"
to-top