Credential Phishing: Fake Storage alerts (unsolicited)
This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.
Sublime rule (View on GitHub)
1name: "Credential Phishing: Fake Storage alerts (unsolicited)"
2description: "This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 0 < length(body.links) < 8
10 and any([subject.subject, sender.display_name],
11 regex.icontains(., "storage|mailbox")
12 )
13 )
14 or (
15 any(file.explode(beta.message_screenshot()),
16 any(ml.nlu_classifier(.scan.ocr.raw).intents,
17 .name == "cred_theft" and .confidence == "high"
18 )
19 and regex.icontains(.scan.ocr.raw,
20 "storage.{0,50}full",
21 "free.{0,50}upgrade",
22 "storage.{0,50}details",
23 "storage.{0,50}quot",
24 "email.{0,50}storage",
25 "total.{0,50}storage"
26 )
27 and not strings.ilike(.scan.ocr.raw, "*free plan*")
28 )
29 )
30 or (
31 any(body.links,
32 // fingerprints of a hyperlinked image
33 .display_text is null
34 and .display_url.url is null
35 and (
36 .href_url.domain.root_domain in $free_file_hosts
37 or .href_url.domain.root_domain == "beehiiv.com"
38 )
39 and length(attachments) ==1
40 and all(attachments,
41 .file_type in $file_types_images
42 and .size > 2000
43 and any(file.explode(.),
44 regex.icontains(.scan.ocr.raw,
45 "storage.{0,50}full",
46 "free.{0,50}upgrade",
47 "storage.{0,50}details",
48 "storage.{0,50}quot",
49 "email.{0,50}storage",
50 "total.{0,50}storage"
51 )
52 )
53 )
54 )
55 )
56 )
57 and (
58 regex.icontains(subject.subject, '\bfull\b')
59 or strings.icontains(subject.subject, "exceeded")
60 or strings.icontains(subject.subject, "out of")
61 or strings.icontains(subject.subject, "icloud")
62 or strings.icontains(subject.subject, "limit")
63 or strings.icontains(subject.subject, "all storage used")
64 or strings.icontains(subject.subject, "compliance")
65 or strings.icontains(subject.subject, "max storage")
66 or strings.icontains(subject.subject, "storage space")
67 or strings.icontains(subject.subject, "be deleted")
68 )
69 // netgate links to loopnet.com - a popular commerical property listing service
70 and not (
71 any(body.links, .href_url.domain.root_domain == "loopnet.com")
72 )
73
74 // negate legitimate sharepoint storage alerts
75 and (
76 (
77 sender.email.email == "no-reply@sharepointonline.com"
78 and not headers.auth_summary.dmarc.pass
79 and (
80 not all(body.links,
81 .href_url.domain.root_domain in~ (
82 "sharepoint.com",
83 "microsoft.com",
84 "aka.ms"
85 )
86 )
87 )
88 )
89 or sender.email.email != "no-reply@sharepointonline.com"
90 )
91
92 // negate legitimate iCloud China storage alerts
93 and (
94 (
95 sender.email.email == "noreply@icloud.com.cn"
96 and not headers.auth_summary.dmarc.pass
97 and (
98 not all(body.links,
99 .href_url.domain.root_domain in~ (
100 "icloud.com",
101 "aka.ms"
102 )
103 )
104 )
105 )
106 or sender.email.email != "noreply@icloud.com.cn"
107 )
108
109 // negate bouncebacks and undeliverables
110 and not any(attachments,
111 .content_type in (
112 "message/global-delivery-status",
113 "message/delivery-status"
114 )
115 )
116
117 // negate highly trusted sender domains unless they fail DMARC authentication
118 and (
119 (
120 sender.email.domain.root_domain in $high_trust_sender_root_domains
121 and not headers.auth_summary.dmarc.pass
122 )
123 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
124 )
125 and (
126 not profile.by_sender().solicited
127 or profile.by_sender().any_messages_malicious_or_spam
128 )
129attack_types:
130 - "Credential Phishing"
131tactics_and_techniques:
132 - "Social engineering"
133detection_methods:
134 - "Content analysis"
135 - "Sender analysis"
136
137id: "750f04d6-f68a-564c-9e41-c1e5a58df28f"