Mass campaign: recipient address in subject, body, and link (untrusted sender)
This detects a pattern commonly observed in mass phishing campaigns.
The local_part or the full email address of the recipient is used in the subject, body, and link query parameter to "personalize" the attack.
Sublime rule (View on GitHub)
1name: "Mass campaign: recipient address in subject, body, and link (untrusted sender)"
2description: |
3 This detects a pattern commonly observed in mass phishing campaigns.
4
5 The local_part or the full email address of the recipient is used in the subject,
6 body, and link query parameter to "personalize" the attack.
7references:
8 - "https://playground.sublimesecurity.com?id=d9143109-8886-4639-b634-d0a671848eb6"
9type: "rule"
10severity: "medium"
11source: |
12 type.inbound
13 and length(recipients.to) + length(recipients.bcc) + length(recipients.cc) == 1
14
15 // exclude To: Undisclosed recipients:;
16 // since we won't have a valid recipient email
17 and any(recipients.to, .email.domain.valid == true)
18 and (
19 profile.by_sender().prevalence in ("new", "outlier")
20 or (
21 profile.by_sender().any_messages_malicious_or_spam
22 and not profile.by_sender().any_false_positives
23 )
24 )
25 and (
26 any(recipients.to,
27 (
28 strings.icontains(subject.subject, .email.email)
29 or strings.icontains(subject.subject, .email.local_part)
30 )
31 and (.email.domain.valid or strings.icontains(.display_name, "undisclosed"))
32 )
33 )
34 and any([body.html.inner_text, body.plain.raw],
35 any(recipients.to, strings.icontains(.., .email.email))
36 )
37 and any(body.links, any(recipients.to, strings.icontains(..href_url.query_params, .email.email)))
38 and any(ml.nlu_classifier(coalesce(body.html.display_text, body.plain.raw)).intents,
39 .name in ("cred_theft") and .confidence == "high"
40 )
41 and any(ml.nlu_classifier(body.current_thread.text).intents,
42 .name in ("cred_theft") and .confidence == "high"
43 )
44
45 // negate highly trusted sender domains unless they fail DMARC authentication
46 and (
47 (
48 sender.email.domain.root_domain in $high_trust_sender_root_domains
49 and not headers.auth_summary.dmarc.pass
50 )
51 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
52 )
53attack_types:
54 - "Credential Phishing"
55tactics_and_techniques:
56 - "Social engineering"
57detection_methods:
58 - "Header analysis"
59 - "Natural Language Understanding"
60 - "Sender analysis"
61id: "599dabf5-6287-5adf-8a8f-70649ccf0f92"