Credential Phishing: Suspicious language, link, recipients and other indicators

calendar Feb 23, 2024  ·
Share on: linkedin copy

The rule flags inbound messages with no visible recipients, contain all-caps text, and include links from certain free hosts. It also checks for signs of credential theft using machine learning classifiers and is from an untrusted sender.

Sublime rule (View on GitHub)

 1name: "Credential Phishing: Suspicious language, link, recipients and other indicators"
 2description: |
 3    The rule flags inbound messages with no visible recipients, contain all-caps text, and include links from certain free hosts. It also checks for signs of credential theft using machine learning classifiers and is from an untrusted sender.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8
 9  // no recipients defined
10  and (
11    length(recipients.to) == 0
12    or all(recipients.to, .display_name == "Undisclosed recipients")
13  )
14  and length(recipients.cc) == 0
15  and length(recipients.bcc) == 0
16  and any(body.links,
17
18          // suspicious link
19          // we've particularly seen 1drv.ms abused
20          // if using the full list causes FPs, we can reduce the 
21          // scope to a hard-coded list or add exclusions
22          (
23            .href_url.domain.domain in $free_file_hosts
24            or .href_url.domain.root_domain in $free_file_hosts
25            or .href_url.domain.root_domain in $free_subdomain_hosts
26          )
27
28          // link text is in all caps
29          and regex.match(.display_text, "[A-Z ]+")
30  )
31
32  // any confidence cred_theft classification
33  and any(ml.nlu_classifier(body.current_thread.text).intents,
34          .name == "cred_theft"
35  )
36
37  // 'org' entity is in all caps
38  and any(ml.nlu_classifier(body.current_thread.text).entities,
39          .name == "org" and regex.match(.text, "[A-Z ]+")
40  )
41
42  // subject is in all caps
43  and regex.match(subject.subject, "[A-Z ]+")
44  and (
45    profile.by_sender().prevalence in ("new", "outlier")
46    or (
47      profile.by_sender().any_messages_malicious_or_spam
48      and not profile.by_sender().any_false_positives
49    )
50  )  
51
52attack_types:
53  - "Credential Phishing"
54tactics_and_techniques:
55  - "Evasion"
56detection_methods:
57  - "Content analysis"
58  - "Header analysis"
59  - "Natural Language Understanding"
60  - "Sender analysis"
61  - "URL analysis"
62id: "dcb39190-7ea1-5e82-8d6b-0242affdb6e3"
to-top