Suspicious Recipients pattern with no Compauth pass and suspicious content

calendar Aug 21, 2023  ·
Share on: linkedin copy

Detects messages with undisclosed recipients (likely all bcc), where the Compauth verdict is not 'pass', and ML has identified suspicious language or credential phishing links.

Sublime rule (View on GitHub)

 1name: "Suspicious Recipients pattern with no Compauth pass and suspicious content"
 2description: "Detects messages with undisclosed recipients (likely all bcc), where the Compauth verdict is not 'pass', and ML has identified suspicious language or credential phishing links."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (length(recipients.to) == 0 or all(recipients.to, .display_name == "Undisclosed recipients"))
 8  and length(recipients.cc) == 0
 9  and length(recipients.bcc) == 0
10  and 2 of (
11    (
12      any(headers.hops,
13          .authentication_results.compauth.verdict is not null
14          and .authentication_results.compauth.verdict not in ("pass", "softpass")
15      )
16    ),
17    (
18      any(ml.nlu_classifier(body.current_thread.text).intents,
19          .name in ("bec", "cred_theft") and .confidence == "high"
20      )
21    ),
22    (
23      any(body.links,
24          any([beta.linkanalysis(.)],
25              .credphish.disposition == "phishing" and .credphish.confidence in ("high")
26          )
27      )
28    )
29  )  
30detection_methods:
31  - "Content analysis"
32  - "Computer Vision"
33  - "Header analysis"
34  - "Natural Language Understanding"
35  - "URL analysis"
36  - "URL screenshot"
37id: "34fb65f6-03e8-5752-b602-4f294172b5db"
to-top