Credential Phishing: Fake Storage alerts (unsolicited)

This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.

Sublime rule (View on GitHub)

 1name: "Credential Phishing: Fake Storage alerts (unsolicited)"
 2description: "This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    (
 9      0 < length(body.links) < 8
10      and any([subject.subject, sender.display_name],
11              strings.icontains(., "storage")
12      )
13    )
14    or (
15      any(file.explode(beta.message_screenshot()),
16          any(ml.nlu_classifier(.scan.ocr.raw).intents,
17              .name == "cred_theft" and .confidence == "high"
18          )
19          and strings.ilike(.scan.ocr.raw, "*storage*full*", "*free*upgrade*")
20      )
21    )
22  )
23  and (
24    regex.icontains(subject.subject, '\bfull\b')
25    or strings.icontains(subject.subject, "exceeded")
26    or strings.icontains(subject.subject, "out of")
27    or strings.icontains(subject.subject, "icloud")
28    or strings.icontains(subject.subject, "limit")
29    or strings.icontains(subject.subject, "all storage used")
30  )
31  
32  // negate legitimate sharepoint storage alerts
33  and (
34    (
35      sender.email.email == "no-reply@sharepointonline.com"
36      and (
37        any(distinct(headers.hops, .authentication_results.dmarc is not null),
38            strings.ilike(.authentication_results.dmarc, "*fail")
39        )
40      )
41      and not all(body.links,
42                  .href_url.domain.root_domain in~ (
43                    "sharepoint.com",
44                    "microsoft.com",
45                    "aka.ms"
46                  )
47      )
48    )
49    or sender.email.email != "no-reply@sharepointonline.com"
50  )
51  // negate highly trusted sender domains unless they fail DMARC authentication
52  and (
53    (
54      sender.email.domain.root_domain in $high_trust_sender_root_domains
55      and (
56        any(distinct(headers.hops, .authentication_results.dmarc is not null),
57            strings.ilike(.authentication_results.dmarc, "*fail")
58        )
59      )
60    )
61    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
62  )
63  and (
64    not profile.by_sender().solicited
65    or profile.by_sender().any_messages_malicious_or_spam
66  )  
67
68attack_types:
69  - "Credential Phishing"
70tactics_and_techniques:
71  - "Social engineering"
72detection_methods:
73  - "Content analysis"
74  - "Sender analysis"
75
76id: "750f04d6-f68a-564c-9e41-c1e5a58df28f"
to-top