Reconnaissance: Email address harvesting attempt
Detects potential email harvesting or credential phishing attempts where short messages contain email addresses in the body text. These messages often try to extract contact information or validate email addresses for future attacks.
Sublime rule (View on GitHub)
1name: "Reconnaissance: Email address harvesting attempt"
2description: |
3 Detects potential email harvesting or credential phishing attempts where short messages contain email addresses in the body text. These messages often try to extract contact information or validate email addresses for future attacks.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and length(subject.base) <= 15
9 // detect email addresses in body text
10 and (
11 regex.imatch(body.current_thread.text, '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}')
12 )
13 // external freemail sender
14 and sender.email.domain.root_domain in $free_email_providers
15 // no attachments but allow one link
16 and length(attachments) == 0
17 and length(body.current_thread.links) == 1
18 // negate sender profiles completely if auth is failing
19 and (
20 (
21 not (
22 headers.auth_summary.dmarc.pass == false
23 or headers.auth_summary.spf.pass == false
24 )
25 and (
26 not profile.by_sender().solicited
27 or (
28 profile.by_sender().any_messages_malicious_or_spam
29 and not profile.by_sender().any_false_positives
30 )
31 )
32 and not profile.by_sender().any_false_positives
33 )
34 or (
35 headers.auth_summary.dmarc.pass == false
36 or headers.auth_summary.spf.pass == false
37 )
38 )
39
40tags:
41 - "Attack surface reduction"
42attack_types:
43 - "BEC/Fraud"
44 - "Credential Phishing"
45 - "Spam"
46tactics_and_techniques:
47 - "Free email provider"
48 - "Social engineering"
49detection_methods:
50 - "Content analysis"
51 - "Header analysis"
52 - "Sender analysis"
53 - "URL analysis"
54id: "bb31efbc-e96d-5697-80ce-343881ee221f"