Suspicious Recipients pattern with no Compauth pass and suspicious content
Detects messages with undisclosed recipients (likely all bcc), where the Compauth verdict is not 'pass', and ML has identified suspicious language or credential phishing links.
Sublime rule (View on GitHub)
1name: "Suspicious Recipients pattern with no Compauth pass and suspicious content"
2description: "Detects messages with undisclosed recipients (likely all bcc), where the Compauth verdict is not 'pass', and ML has identified suspicious language or credential phishing links."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (length(recipients.to) == 0 or all(recipients.to, .display_name == "Undisclosed recipients"))
8 and length(recipients.cc) == 0
9 and length(recipients.bcc) == 0
10 and 2 of (
11 (
12 any(headers.hops,
13 .authentication_results.compauth.verdict is not null
14 and .authentication_results.compauth.verdict not in ("pass", "softpass")
15 )
16 ),
17 (
18 any(ml.nlu_classifier(body.current_thread.text).intents,
19 .name in ("bec", "cred_theft", "advance_fee") and .confidence == "high"
20 )
21 ),
22 (
23 any(body.links,
24 any([ml.link_analysis(.)],
25 .credphish.disposition == "phishing" and .credphish.confidence in ("high")
26 )
27 )
28 )
29 )
30 and (
31 profile.by_sender().prevalence in ("new", "outlier")
32 or (
33 profile.by_sender().any_messages_malicious_or_spam
34 and not profile.by_sender().any_false_positives
35 )
36 )
37 // negate highly trusted sender domains unless they fail DMARC authentication
38 and (
39 (
40 sender.email.domain.root_domain in $high_trust_sender_root_domains
41 and not headers.auth_summary.dmarc.pass
42 )
43 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
44 )
45detection_methods:
46 - "Content analysis"
47 - "Computer Vision"
48 - "Header analysis"
49 - "Natural Language Understanding"
50 - "URL analysis"
51 - "URL screenshot"
52id: "34fb65f6-03e8-5752-b602-4f294172b5db"