Fake message thread with a suspicious link and engaging language from an unknown sender

Detects fake message threads with suspicious links and financial request language

Sublime rule (View on GitHub)

 1name: "Fake message thread with a suspicious link and engaging language from an unknown sender"
 2description: "Detects fake message threads with suspicious links and financial request language"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.links) < 10
 8  // suspicious link
 9  and any(body.links,
10          .href_url.domain.root_domain not in $tranco_1m
11          and .href_url.domain.domain not in $umbrella_1m
12  )
13  
14  // fake thread check
15  and (strings.istarts_with(subject.subject, "RE:") or strings.istarts_with(subject.subject, "FWD:"))
16  
17  // Check for the Presence of References or In-Reply-To properties
18  and (
19    (length(headers.references) == 0 and headers.in_reply_to is null)
20    or (
21      not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
22      and not any(headers.hops, strings.ilike(.signature.headers, "*:reply-to"))
23    )
24  )
25  
26  // sender's domain is not in body, and body has > 0 links
27  and length(body.links) > 0
28  and sender.email.domain.root_domain not in $free_email_providers
29  and not any(body.links, .href_url.domain.root_domain == sender.email.domain.root_domain)
30  
31  // unusual sender (email address rarely sends to your organization)
32  and sender.email.email not in $sender_emails
33  
34  // unusual sender domain (domain rarely sends to your organization)
35  and sender.email.domain.domain not in $sender_domains
36  and 4 of (
37    // language attempting to engage
38    (
39      any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
40      and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "financial")
41    ),
42  
43    // invoicing language
44    any(ml.nlu_classifier(body.current_thread.text).tags, .name == "invoice"),
45  
46    // urgency request
47    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency"),
48  
49    // cred_theft detection
50    any(ml.nlu_classifier(body.current_thread.text).intents,
51        .name == "cred_theft" and .confidence in~ ("medium", "high")
52    ),
53  
54    // commonly abused sender TLD
55    strings.ilike(sender.email.domain.tld, "*.jp"),
56  
57    // headers traverse abused TLD
58    any(headers.domains, strings.ilike(.tld, "*.jp")),
59  
60    // known suspicious pattern in the URL path
61    any(body.links, regex.match(.href_url.path, '\/[a-z]{3}\d[a-z]')),
62  
63    // link display text is in all caps
64    any(body.links, regex.match(.display_text, '[A-Z ]+')),
65  
66    // display name contains an email
67    regex.contains(sender.display_name, '[a-z0-9]+@[a-z]+'),
68  
69    // Sender domain is empty
70    sender.email.domain.domain == "",
71  
72    // sender domain matches no body domains
73    all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain),
74  )  
75attack_types:
76  - "Credential Phishing"
77tactics_and_techniques:
78  - "Social engineering"
79detection_methods:
80  - "Content analysis"
81  - "Header analysis"
82  - "Natural Language Understanding"
83  - "Sender analysis"
84  - "URL analysis"
85id: "8fd0e211-285d-5cbd-9c11-868c0501b526"
to-top