Reconnaissance: Email address harvesting attempt
Detects potential email harvesting or credential phishing attempts where short messages contain email addresses in the body text. These messages often try to extract contact information or validate email addresses for future attacks.
Sublime rule (View on GitHub)
1name: "Reconnaissance: Email address harvesting attempt"
2description: |
3 Detects potential email harvesting or credential phishing attempts where short messages contain email addresses in the body text. These messages often try to extract contact information or validate email addresses for future attacks.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and length(subject.base) <= 15
9 // detect email addresses in body text
10 and (
11 regex.imatch(body.current_thread.text,
12 '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}'
13 )
14 )
15 // external freemail sender
16 and sender.email.domain.root_domain in $free_email_providers
17 // no attachments but allow one link
18 and length(attachments) == 0
19 and length(body.current_thread.links) == 1
20 // negate sender profiles completely if auth is failing
21 and (
22 (
23 not (
24 headers.auth_summary.dmarc.pass == false
25 or headers.auth_summary.spf.pass == false
26 )
27 and (
28 not profile.by_sender().solicited
29 or (
30 profile.by_sender().any_messages_malicious_or_spam
31 and not profile.by_sender().any_false_positives
32 )
33 )
34 and not profile.by_sender().any_false_positives
35 )
36 or (
37 headers.auth_summary.dmarc.pass == false
38 or headers.auth_summary.spf.pass == false
39 )
40 )
41tags:
42 - "Attack surface reduction"
43attack_types:
44 - "BEC/Fraud"
45 - "Credential Phishing"
46 - "Spam"
47tactics_and_techniques:
48 - "Free email provider"
49 - "Social engineering"
50detection_methods:
51 - "Content analysis"
52 - "Header analysis"
53 - "Sender analysis"
54 - "URL analysis"
55id: "bb31efbc-e96d-5697-80ce-343881ee221f"