Link: Generic financial document with proceedural timeline template

Detects messages with generic greetings that reference payment releases & timelines, and exhibit unusual recipient patterns such as self-sending or missing recipients.

Sublime rule (View on GitHub)

 1name: "Link: Generic financial document with proceedural timeline template"
 2description: "Detects messages with generic greetings that reference payment releases & timelines, and exhibit unusual recipient patterns such as self-sending or missing recipients."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // link limiter scopes thread hijacking but limits reports
 8  and length(body.links) <= 40
 9  
10  // expectation of time
11  and regex.icontains(body.current_thread.text,
12                      'will be released.{0,15}(?:Monday|Tuesday|Wednesday|Thursday|Friday|Saturday|Sunday),\s+(?:January|February|March|April|May|June|July|August|September|October|November|December)\s+\d{1,2},',
13                      '\b[1-4]\W[1-4]\b.{1,10}days'
14  )
15  
16  // link is malicious
17  and any(body.links,
18          // key phrasing or nlu
19          (
20            regex.icontains(.display_text,
21                            '(?:access|show|view).{0,10}(?:confirmation|message|payment|statement)',
22                            'advice',
23                            'deposit',
24                            'document',
25                            'eft',
26                            'release',
27                            'remit'
28            )
29            or any(ml.nlu_classifier(body.current_thread.text).topics,
30                   .name == "Request to View Invoice" and .confidence == "high"
31            )
32          )
33          // suspicious hosting
34          and (
35            .href_url.domain.domain in $free_file_hosts
36            or .href_url.domain.root_domain in $free_file_hosts
37            or .href_url.domain.tld in $suspicious_tlds
38            or .href_url.domain.domain in $self_service_creation_platform_domains
39            or (
40              .href_url.domain.root_domain not in $tranco_1m
41              and not .href_url.scheme == "mailto"
42            )
43            or .href_url.domain.root_domain in $url_shorteners
44            // open redirect
45            or strings.icontains(.href_url.query_params, '=https', 'url=', 'upn=')
46            // bait and switch CTA observed
47            or (
48              strings.icontains(body.current_thread.text, "[message clipped]")
49              and strings.icontains(.display_text, "view entire message")
50            )
51          )
52          // negate org domains
53          and .href_url.domain.valid != false
54          and .href_url.domain.root_domain not in $org_domains
55  )
56  
57  // suspicious sender behavior
58  and (
59    (
60      length(recipients.to) == 1
61      and length(recipients.cc) == 0
62      and sender.email.email == recipients.to[0].email.email
63    )
64    // the recipient is undisclosed or there are no recipients
65    or (
66      length(recipients.to) == 0
67      or all(recipients.to, .email.domain.valid == false)
68    )
69  )  
70
71tags:
72 - "Attack surface reduction"
73attack_types:
74  - "BEC/Fraud"
75  - "Credential Phishing"
76tactics_and_techniques:
77  - "Social engineering"
78  - "Evasion"
79detection_methods:
80  - "Content analysis"
81  - "Natural Language Understanding"
82  - "Header analysis"
83  - "Sender analysis"
84id: "027cb65d-aee3-5f10-9555-20b719bbde42"

Related rules

to-top