Mass campaign: Cross Site Scripting (XSS) attempt
Message subject or body contains Cross Site Scripting (XSS) indicators, and was sent to multiple unknown senders. Known spam technique.
Sublime rule (View on GitHub)
1name: "Mass campaign: Cross Site Scripting (XSS) attempt"
2description: "Message subject or body contains Cross Site Scripting (XSS) indicators, and was sent to multiple unknown senders. Known spam technique."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 length(recipients.to) > 10
9 and length(filter(recipients.to,
10 .email.domain.domain not in $org_domains
11 and .email.email not in $recipient_emails
12 and (
13 .email.domain.valid
14 or strings.icontains(.display_name, "undisclosed")
15 )
16 )
17 ) >= 10
18 )
19 and (
20 strings.ilike(subject.subject,
21 '*<*script*>*',
22 '*xss.report*',
23 '*eval(atob*',
24 '*<*onload*>*',
25 '*<*onerror*>*'
26 )
27 or strings.ilike(body.current_thread.text,
28 '*<*script*>*',
29 '*xss.report*',
30 '*eval(atob*',
31 '*<*onload*>*',
32 '*<*onerror*>*'
33 )
34 )
35 and (
36 length(body.links) == 0
37 or (
38 length(body.links) == 1
39 and all(body.links, .href_url.domain.domain == "this.id")
40 )
41 )
42 and profile.by_sender().prevalence != "common"
43 and not profile.by_sender().solicited
44 and not profile.by_sender().any_false_positives
45
46 // negate highly trusted sender domains unless they fail DMARC authentication
47 and (
48 (
49 sender.email.domain.root_domain in $high_trust_sender_root_domains
50 and (
51 any(distinct(headers.hops, .authentication_results.dmarc is not null),
52 strings.ilike(.authentication_results.dmarc, "*fail")
53 )
54 )
55 )
56 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
57 )
58
59
60attack_types:
61 - "Malware/Ransomware"
62 - "Spam"
63tactics_and_techniques:
64 - "Exploit"
65 - "Free email provider"
66 - "Scripting"
67 - "Social engineering"
68detection_methods:
69 - "Content analysis"
70 - "Header analysis"
71 - "Sender analysis"
72id: "6cbb7124-2e84-50a5-a707-cc26683bb42a"