Reconnaissance: Email address harvesting attempt

Detects potential email harvesting or credential phishing attempts where short messages contain email addresses in the body text. These messages often try to extract contact information or validate email addresses for future attacks.

Sublime rule (View on GitHub)

 1name: "Reconnaissance: Email address harvesting attempt"
 2description: |
 3    Detects potential email harvesting or credential phishing attempts where short messages contain email addresses in the body text. These messages often try to extract contact information or validate email addresses for future attacks.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and length(subject.base) <= 15
 9  // detect email addresses in body text
10  and (
11    regex.imatch(body.current_thread.text, '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}')
12  )
13  // external freemail sender
14  and sender.email.domain.root_domain in $free_email_providers
15  // no attachments but allow one link  
16  and length(attachments) == 0
17  and length(body.current_thread.links) == 1
18  // negate sender profiles completely if auth is failing
19  and (
20    (
21      not (
22        headers.auth_summary.dmarc.pass == false
23        or headers.auth_summary.spf.pass == false
24      )
25      and (
26        not profile.by_sender().solicited
27        or (
28          profile.by_sender().any_messages_malicious_or_spam
29          and not profile.by_sender().any_false_positives
30        )
31      )
32      and not profile.by_sender().any_false_positives
33    )
34    or (
35      headers.auth_summary.dmarc.pass == false
36      or headers.auth_summary.spf.pass == false
37    )
38  )  
39
40tags:
41 - "Attack surface reduction"
42attack_types:
43  - "BEC/Fraud"
44  - "Credential Phishing"
45  - "Spam"
46tactics_and_techniques:
47  - "Free email provider"
48  - "Social engineering"
49detection_methods:
50  - "Content analysis"
51  - "Header analysis"
52  - "Sender analysis"
53  - "URL analysis"
54id: "bb31efbc-e96d-5697-80ce-343881ee221f"

Related rules

to-top