Fake message thread with a suspicious link and engaging language from an unknown sender
Detects fake message threads with suspicious links and financial request language
Sublime rule (View on GitHub)
1name: "Fake message thread with a suspicious link and engaging language from an unknown sender"
2description: "Detects fake message threads with suspicious links and financial request language"
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(body.links) < 10
8
9 // fake thread check
10 and (
11 strings.istarts_with(subject.subject, "RE:")
12 or strings.istarts_with(subject.subject, "FWD:")
13 )
14
15 // Check for the Presence of References or In-Reply-To properties
16 and (
17 (length(headers.references) == 0 and headers.in_reply_to is null)
18 or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
19 )
20
21 // sender's domain is not in body, and body has > 0 links
22 and length(body.links) > 0
23 and sender.email.domain.root_domain not in $free_email_providers
24 and not any(body.links,
25 .href_url.domain.root_domain == sender.email.domain.root_domain
26 )
27
28 // unusual sender (email address rarely sends to your organization)
29 and sender.email.email not in $sender_emails
30
31 // unusual sender domain (domain rarely sends to your organization)
32 and sender.email.domain.domain not in $sender_domains
33 and 4 of (
34 // language attempting to engage
35 (
36 any(ml.nlu_classifier(body.current_thread.text).entities,
37 .name == "request"
38 )
39 and any(ml.nlu_classifier(body.current_thread.text).entities,
40 .name == "financial"
41 )
42 ),
43
44 // invoicing language
45 any(ml.nlu_classifier(body.current_thread.text).tags, .name == "invoice"),
46
47 // urgency request
48 any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency"),
49
50 // cred_theft detection
51 any(ml.nlu_classifier(body.current_thread.text).intents,
52 .name == "cred_theft" and .confidence in~ ("medium", "high")
53 ),
54
55 // commonly abused sender TLD
56 strings.ilike(sender.email.domain.tld, "*.jp"),
57
58 // headers traverse abused TLD
59 any(headers.domains, strings.ilike(.tld, "*.jp")),
60
61 // known suspicious pattern in the URL path
62 any(body.links, regex.match(.href_url.path, '\/[a-z]{3}\d[a-z]')),
63
64 // link display text is in all caps
65 any(body.links, regex.match(.display_text, '[A-Z ]+')),
66
67 // display name contains an email
68 regex.contains(sender.display_name, '[a-z0-9]+@[a-z]+'),
69
70 // Sender domain is empty
71 sender.email.domain.domain == "",
72
73 // sender domain matches no body domains
74 all(body.links,
75 .href_url.domain.root_domain != sender.email.domain.root_domain
76 ),
77 )
78
79 // negate highly trusted sender domains unless they fail DMARC authentication
80 and (
81 (
82 sender.email.domain.root_domain in $high_trust_sender_root_domains
83 and not headers.auth_summary.dmarc.pass
84 )
85 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
86 )
87
88attack_types:
89 - "Credential Phishing"
90tactics_and_techniques:
91 - "Social engineering"
92detection_methods:
93 - "Content analysis"
94 - "Header analysis"
95 - "Natural Language Understanding"
96 - "Sender analysis"
97 - "URL analysis"
98id: "8fd0e211-285d-5cbd-9c11-868c0501b526"