Credential Phishing: Fake Storage alerts (unsolicited)
This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.
Sublime rule (View on GitHub)
1name: "Credential Phishing: Fake Storage alerts (unsolicited)"
2description: "This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 0 < length(body.links) < 8
10 and any([subject.subject, sender.display_name],
11 strings.icontains(., "storage")
12 )
13 )
14 or (
15 any(file.explode(beta.message_screenshot()),
16 any(ml.nlu_classifier(.scan.ocr.raw).intents,
17 .name == "cred_theft" and .confidence == "high"
18 )
19 and strings.ilike(.scan.ocr.raw, "*storage*full*", "*free*upgrade*")
20 )
21 )
22 )
23 and (
24 regex.icontains(subject.subject, '\bfull\b')
25 or strings.icontains(subject.subject, "exceeded")
26 or strings.icontains(subject.subject, "out of")
27 or strings.icontains(subject.subject, "icloud")
28 or strings.icontains(subject.subject, "limit")
29 or strings.icontains(subject.subject, "all storage used")
30 )
31
32 // negate legitimate sharepoint storage alerts
33 and (
34 (
35 sender.email.email == "no-reply@sharepointonline.com"
36 and not headers.auth_summary.dmarc.pass
37 and (
38 not all(body.links,
39 .href_url.domain.root_domain in~ (
40 "sharepoint.com",
41 "microsoft.com",
42 "aka.ms"
43 )
44 )
45 )
46 )
47 or sender.email.email != "no-reply@sharepointonline.com"
48 )
49 // negate highly trusted sender domains unless they fail DMARC authentication
50 and (
51 (
52 sender.email.domain.root_domain in $high_trust_sender_root_domains
53 and not headers.auth_summary.dmarc.pass
54 )
55 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
56 )
57 and (
58 not profile.by_sender().solicited
59 or profile.by_sender().any_messages_malicious_or_spam
60 )
61
62attack_types:
63 - "Credential Phishing"
64tactics_and_techniques:
65 - "Social engineering"
66detection_methods:
67 - "Content analysis"
68 - "Sender analysis"
69
70id: "750f04d6-f68a-564c-9e41-c1e5a58df28f"