Link: Generic financial document with proceedural timeline template
Detects messages with generic greetings that reference payment releases & timelines, and exhibit unusual recipient patterns such as self-sending or missing recipients.
Sublime rule (View on GitHub)
1name: "Link: Generic financial document with proceedural timeline template"
2description: "Detects messages with generic greetings that reference payment releases & timelines, and exhibit unusual recipient patterns such as self-sending or missing recipients."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // link limiter scopes thread hijacking but limits reports
8 and length(body.links) <= 40
9
10 // expectation of time
11 and regex.icontains(body.current_thread.text,
12 'will be released.{0,15}(?:Monday|Tuesday|Wednesday|Thursday|Friday|Saturday|Sunday),\s+(?:January|February|March|April|May|June|July|August|September|October|November|December)\s+\d{1,2},',
13 '\b[1-4]\W[1-4]\b.{1,10}days'
14 )
15
16 // link is malicious
17 and any(body.links,
18 // key phrasing or nlu
19 (
20 regex.icontains(.display_text,
21 '(?:access|show|view).{0,10}(?:confirmation|message|payment|statement)',
22 'advice',
23 'deposit',
24 'document',
25 'eft',
26 'release',
27 'remit'
28 )
29 or any(ml.nlu_classifier(body.current_thread.text).topics,
30 .name == "Request to View Invoice" and .confidence == "high"
31 )
32 )
33 // suspicious hosting
34 and (
35 .href_url.domain.domain in $free_file_hosts
36 or .href_url.domain.root_domain in $free_file_hosts
37 or .href_url.domain.tld in $suspicious_tlds
38 or .href_url.domain.domain in $self_service_creation_platform_domains
39 or (
40 .href_url.domain.root_domain not in $tranco_1m
41 and not .href_url.scheme == "mailto"
42 )
43 or .href_url.domain.root_domain in $url_shorteners
44 // open redirect
45 or strings.icontains(.href_url.query_params, '=https', 'url=', 'upn=')
46 // bait and switch CTA observed
47 or (
48 strings.icontains(body.current_thread.text, "[message clipped]")
49 and strings.icontains(.display_text, "view entire message")
50 )
51 )
52 // negate org domains
53 and .href_url.domain.valid != false
54 and .href_url.domain.root_domain not in $org_domains
55 )
56
57 // suspicious sender behavior
58 and (
59 (
60 length(recipients.to) == 1
61 and length(recipients.cc) == 0
62 and sender.email.email == recipients.to[0].email.email
63 )
64 // the recipient is undisclosed or there are no recipients
65 or (
66 length(recipients.to) == 0
67 or all(recipients.to, .email.domain.valid == false)
68 )
69 )
70
71tags:
72 - "Attack surface reduction"
73attack_types:
74 - "BEC/Fraud"
75 - "Credential Phishing"
76tactics_and_techniques:
77 - "Social engineering"
78 - "Evasion"
79detection_methods:
80 - "Content analysis"
81 - "Natural Language Understanding"
82 - "Header analysis"
83 - "Sender analysis"
84id: "027cb65d-aee3-5f10-9555-20b719bbde42"