Cyrillic vowel substitutions with suspicious subject from unknown sender
This rule detects unsolicited messages with between 1-9 links containing a suspicious subject as well as Cyrillic vowel substitutions detected in either the subject or the senders display name.
Sublime rule (View on GitHub)
1name: "Cyrillic vowel substitutions with suspicious subject from unknown sender"
2description: "This rule detects unsolicited messages with between 1-9 links containing a suspicious subject as well as Cyrillic vowel substitutions detected in either the subject or the senders display name."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7
8 and 0 < length(body.links) < 10
9
10 // display name or subject contains confusable vowels
11 and any([subject.subject, sender.display_name],
12 regex.icontains(., '(а|е|и|о|у)')
13 )
14
15 // and suspicious subject
16 and regex.icontains(subject.subject,
17 // https://github.com/sublime-security/static-files/blob/master/suspicious_subjects_regex.txt
18 "termination.*notice",
19 "38417",
20 ":completed",
21 "[il1]{2}mit.*ma[il1]{2} ?bo?x",
22 "[il][il][il]egai[ -]",
23 "[li][li][li]ega[li] attempt",
24 "[ng]-?[io]n .*block",
25 "[ng]-?[io]n .*cancel",
26 "[ng]-?[io]n .*deactiv",
27 "[ng]-?[io]n .*disabl",
28 "action.*required",
29 "abandon.*package",
30 "about.your.account",
31 "acc(ou)?n?t (is )?on ho[li]d",
32 "acc(ou)?n?t.*terminat",
33 "acc(oun)?t.*[il1]{2}mitation",
34 "access.*limitation",
35 "account (will be )?block",
36 "account.*de-?activat",
37 "account.*locked",
38 "account.*re-verification",
39 "account.*security",
40 "account.*suspension",
41 "account.has.been",
42 "account.has.expired",
43 "account.will.be.blocked",
44 "account v[il]o[li]at",
45 "activity.*acc(oun)?t",
46 "almost.full",
47 "app[li]e.[il]d",
48 "authenticate.*account",
49 "been.*suspend",
50 "clos.*of.*account.*processed",
51 "confirm.your.account",
52 "courier.*able",
53 "crediential.*notif",
54 "deactivation.*in.*progress",
55 "delivery.*attempt.*failed",
56 "document.received",
57 "documented.*shared.*with.*you",
58 "dropbox.*document",
59 "e-?ma[il1]+ .{010}suspen",
60 "e-?ma[il1]{1} user",
61 "e-?ma[il1]{2} acc",
62 "e-?ma[il1]{2}.*up.?grade",
63 "e.?ma[il1]{2}.*server",
64 "e.?ma[il1]{2}.*suspend",
65 "email.update",
66 "faxed you",
67 "fraud(ulent)?.*charge",
68 "from.helpdesk",
69 "fu[il1]{2}.*ma[il1]+[ -]?box",
70 "has.been.*suspended",
71 "has.been.limited",
72 "have.locked",
73 "he[li]p ?desk upgrade",
74 "heipdesk",
75 "i[il]iega[il]",
76 "ii[il]ega[il]",
77 "incoming e?mail",
78 "incoming.*fax",
79 "lock.*security",
80 "ma[il1]{1}[ -]?box.*quo",
81 "ma[il1]{2}[ -]?box.*fu[il1]",
82 "ma[il1]{2}box.*[il1]{2}mit",
83 "ma[il1]{2}box stor",
84 "mail on.?hold",
85 "mail.*box.*migration",
86 "mail.*de-?activat",
87 "mail.update.required",
88 "mails.*pending",
89 "messages.*pending",
90 "missed.*shipping.*notification",
91 "missed.shipment.notification",
92 "must.update.your.account",
93 "new [sl][io]g?[nig][ -]?in from",
94 "new voice ?-?mail",
95 "notifications.*pending",
96 "office.*3.*6.*5.*suspend",
97 "office365",
98 "on google docs with you",
99 "online doc",
100 "password.*compromised",
101 "periodic maintenance",
102 "potential(ly)? unauthorized",
103 "refund not approved",
104 "revised.*policy",
105 "scam",
106 "scanned.?invoice",
107 "secured?.update",
108 "security breach",
109 "securlty",
110 "signed.*delivery",
111 "status of your .{314}? ?delivery",
112 "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
113 "suspicious.*sign.*[io]n",
114 "suspicious.activit",
115 "temporar(il)?y deactivate",
116 "temporar[il1]{2}y disab[li]ed",
117 "temporarily.*lock",
118 "un-?usua[li].activity",
119 "unable.*deliver",
120 "unauthorized.*activit",
121 "unauthorized.device",
122 "unauthorized.sign.?in",
123 "unrecognized.*activit",
124 "unrecognized.sign.?in",
125 "unrecognized.*activit",
126 "undelivered message",
127 "unread.*doc",
128 "unusual.activity",
129 "upgrade.*account",
130 "upgrade.notice",
131 "urgent message",
132 "urgent.verification",
133 "v[il1]o[li1]at[il1]on security",
134 "va[il1]{1}date.*ma[il1]{2}[ -]?box",
135 "verification ?-?require",
136 "verification( )?-?need",
137 "verify.your?.account",
138 "web ?-?ma[il1]{2}",
139 "web[ -]?ma[il1]{2}",
140 "will.be.suspended",
141 "your (customer )?account .as",
142 "your.office.365",
143 "your.online.access",
144
145 // https://github.com/sublime-security/static-files/blob/master/suspicious_subjects.txt
146 "account has been limited",
147 "action required",
148 "almost full",
149 "apd notifi cation",
150 "are you at your desk",
151 "are you available",
152 "attached file to docusign",
153 "banking is temporarily unavailable",
154 "bankofamerica",
155 "closing statement invoice",
156 "completed: docusign",
157 "de-activation of",
158 "delivery attempt",
159 "delivery stopped for shipment",
160 "detected suspicious",
161 "detected suspicious actvity",
162 "docu sign",
163 "document for you",
164 "document has been sent to you via docusign",
165 "document is ready for signature",
166 "docusign",
167 "encrypted message",
168 "failed delivery",
169 "fedex tracking",
170 "file was shared",
171 "freefax",
172 "fwd: due invoice paid",
173 "has shared",
174 "inbox is full",
175 "invitation to comment",
176 "invitation to edit",
177 "invoice due",
178 "left you a message",
179 "message from",
180 "new message",
181 "new voicemail",
182 "on desk",
183 "out of space",
184 "password reset",
185 "payment status",
186 "quick reply",
187 "re: w-2",
188 "required",
189 "required: completed docusign",
190 "ringcentral",
191 "scanned image",
192 "secured files",
193 "secured pdf",
194 "security alert",
195 "new sign-in",
196 "new sign in",
197 "sign-in attempt",
198 "sign in attempt",
199 "staff review",
200 "suspicious activity",
201 "unrecognized login attempt",
202 "upgrade immediately",
203 "urgent",
204 "wants to share",
205 "w2",
206 "you have notifications pending",
207 "your account",
208 "your amazon order",
209 "your document settlement",
210 "your order with amazon",
211 "your password has been compromised",
212 )
213
214 // the message is unsolicited and no false positives
215 and (
216 not profile.by_sender().solicited
217 or (
218 length(headers.reply_to) > 0
219 and all(headers.reply_to, .email.email not in $recipient_emails)
220 )
221 )
222 and not profile.by_sender().any_false_positives
223attack_types:
224 - "Credential Phishing"
225tactics_and_techniques:
226 - "Evasion"
227 - "Impersonation: Brand"
228 - "Social engineering"
229detection_methods:
230 - "Content analysis"
231 - "Sender analysis"
232id: "10251c3c-b926-5742-9417-4cf58d182230"