Credential Phishing: Suspicious language, link, recipients and other indicators

The rule flags inbound messages with no visible recipients, contain all-caps text, and include links from certain free hosts. It also checks for signs of credential theft using machine learning classifiers and is from a first-time sender.

Sublime rule (View on GitHub)

 1name: "Credential Phishing: Suspicious language, link, recipients and other indicators"
 2description: |
 3    The rule flags inbound messages with no visible recipients, contain all-caps text, and include links from certain free hosts. It also checks for signs of credential theft using machine learning classifiers and is from a first-time sender.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8
 9  // no recipients defined
10  and (
11    length(recipients.to) == 0
12    or all(recipients.to, .display_name == "Undisclosed recipients")
13  )
14  and length(recipients.cc) == 0
15  and length(recipients.bcc) == 0
16  and any(body.links,
17
18          // suspicious link
19          // we've particularly seen 1drv.ms abused
20          // if using the full list causes FPs, we can reduce the 
21          // scope to a hard-coded list or add exclusions
22          (
23            .href_url.domain.domain in $free_file_hosts
24            or .href_url.domain.root_domain in $free_file_hosts
25            or .href_url.domain.root_domain in $free_subdomain_hosts
26          )
27
28          // link text is in all caps
29          and regex.match(.display_text, "[A-Z ]+")
30  )
31
32  // any confidence cred_theft classification
33  and any(ml.nlu_classifier(body.current_thread.text).intents,
34          .name == "cred_theft"
35  )
36
37  // 'org' entity is in all caps
38  and any(ml.nlu_classifier(body.current_thread.text).entities,
39          .name == "org" and regex.match(.text, "[A-Z ]+")
40  )
41
42  // subject is in all caps
43  and regex.match(subject.subject, "[A-Z ]+")
44  and (
45    profile.by_sender().prevalence in ("new", "outlier")
46    or (
47      profile.by_sender().any_messages_malicious_or_spam
48      and not profile.by_sender().any_false_positives
49    )
50  )  
51
52attack_types:
53  - "Credential Phishing"
54tactics_and_techniques:
55  - "Evasion"
56detection_methods:
57  - "Content analysis"
58  - "Header analysis"
59  - "Natural Language Understanding"
60  - "Sender analysis"
61  - "URL analysis"
62id: "dcb39190-7ea1-5e82-8d6b-0242affdb6e3"
to-top